Helm: gateway template creates per-agent deployments; should support shared gateway

[JARVIS-coding-Agent]

Description

The v0.8.2 Helm chart added Gateway Deployment + Service templates (#677). Currently, gateway.enabled: true on an agent does two things simultaneously:

1. Adds the [gateway] section to the agent's config.toml
2. Creates a dedicated gateway Deployment + Service per agent

This means if 5 agents all set gateway.enabled: true, the chart creates 5 separate gateway pods — one per agent. However, the gateway is designed as a shared, one-to-many service using tokio::broadcast to fan out inbound webhook events to all connected OAB WebSocket clients.

Additional issues with the current template:

• No TELEGRAM_BOT_TOKEN injection — The gateway template only injects GATEWAY_WS_TOKEN and Teams-related env vars. For Telegram, TELEGRAM_BOT_TOKEN is required but not configurable via values.yaml, causing the pod to panic on startup.
• No sidecar support — Many deployments use a Cloudflare Tunnel (cloudflared) sidecar to expose the gateway webhook endpoint. The template has no extraContainers support.
• Cannot use config without deployment — Setting gateway.enabled: false removes both the config block and the deployment. There is no way to say "I want the [gateway] config but I already have an external gateway deployment."

Suggestion:

• Split gateway.enabled into two controls: one for config generation, one for deployment creation (e.g. gateway.deploy: true/false)
• Or add a top-level shared gateway deployment that all agents reference
• Add TELEGRAM_BOT_TOKEN (and other platform env vars) to the gateway template
• Support extraContainers / sidecar injection on the gateway pod

Steps to Reproduce

1. Install OpenAB Helm chart v0.8.2 with multiple agents configured
2. Set gateway.enabled: true on two or more agents in values.yaml:

   agents:
     agent-a:
       gateway:
         enabled: true
     agent-b:
       gateway:
         enabled: true

3. Run helm template or helm install and inspect the rendered manifests
4. Observe that each agent gets its own gateway Deployment + Service (e.g. agent-a-gateway, agent-b-gateway)
5. For the Telegram crash: set gateway.enabled: true on an agent that uses Telegram — the gateway pod starts without TELEGRAM_BOT_TOKEN and panics

Expected Behavior

• A single shared gateway Deployment + Service should be created, regardless of how many agents enable gateway connectivity
• All agents with gateway.enabled: true should connect to the same gateway instance via WebSocket
• The gateway pod should have all required platform env vars (TELEGRAM_BOT_TOKEN, etc.) configurable via values.yaml
• It should be possible to enable the [gateway] config block without creating a gateway deployment (for users who run an external gateway)

Environment

• OpenAB version: v0.8.2 (upgraded from 0.8.2-beta.7)
• Helm chart version: 0.8.2
• Kubernetes: v1.29
• Helm: v3.14

Screenshots / Logs

Gateway pod failing on startup due to missing TELEGRAM_BOT_TOKEN:

thread 'main' panicked at 'TELEGRAM_BOT_TOKEN must be set'
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Pod status progression: ImagePullBackOff → CrashLoopBackOff (after image was published but env var was still missing).