Followup: defaults, named args, expanded docs

[theoephraim]

Hey @idorozin! Picking up on PR dmno-dev#737 — really like the plugin, and wanted to layer on a few ergonomic improvements and bring the docs/README in line with our other plugins (AWS, Vault, etc.) before we merge.

Sending as a PR into your fork's branch rather than pushing directly so you can review at your pace and it doesn't clobber any in-flight work on your side. Feel free to take or leave anything.

What changed

Plugin behavior

• defaultSecret / defaultConfigMap on @initKubernetes() — for the very common k8s pattern where one app has one Secret + one ConfigMap. Lets you write DATABASE_URL=k8sSecret() instead of repeating app-secrets on every line.
• Mixed positional + named args on all four resolvers (id=, name=, key=) — so callers can override just one field, e.g. k8sSecret(key=stripe_api_key) to use the default Secret but a custom key. Conflicts (e.g. positional + named for the same field) raise a schema error.
• Renamed KubernetesAuthConfig → KubernetesInstanceConfig since it now holds non-auth config too.
• Icon switched to mdi:kubernetes (matches our preferred icon set).
• Dropped two 'unreachable' error guards in the bulk resolvers — they were dead-code guards against impossible states the type system already ruled out.

Docs

• Added a Scope section to the website page and README intro that's explicit about what this plugin does and doesn't do (read-only Secret/ConfigMap reads, no manifest generation or cluster mutation), with typical use cases and a Discord pointer for folks who want deeper k8s integration.
• Restructured the website docs page (was ~100 lines, now ~540) to match the AWS/Vault layout — authentication priority, full Kubernetes Setup section with RBAC YAML, ServiceAccount/RoleBinding, bearer token generation, formal Reference section, troubleshooting.
• Expanded the README similarly to match the depth of other plugins (~140 → ~380 lines).
• Added a "How Secrets and ConfigMaps are structured" mental-model bit early in the Loading values section — clarifies the two-level lookup (resource name + key) for readers who are newer to k8s.

Tests

Added 5 tests covering: defaultSecret, defaultConfigMap (with name=/key= overrides), positional name overriding default, missing-name-without-default error, and positional/named arg conflict detection. Existing 6 tests still pass — 11/11 green.

Verification

• bun run --filter @varlock/kubernetes-plugin build ✓
• bun run --filter @varlock/kubernetes-plugin typecheck ✓
• bun run --filter @varlock/kubernetes-plugin test ✓ (11/11)
• bun run lint ✓

Merging this into your add-kubernetes-plugin branch will automatically update PR dmno-dev#737 against dmno-dev/varlock. Once that's green we can ship it!

[idorozin]

Tested against my setup — no regression.

• Existing k8sSecret(...) positional patterns still resolve
• defaultSecret via k8sSecret() (key auto-inferred)
• key= / name= overrides (key= returns a different value → genuinely re-targeting)
• positional + named conflict correctly errors
• build/typecheck/tests green (11/11)