feat: configurable k8s resources, CSIC training pipeline, unified Dockerfile

- Make K8s namespace, TLS secret, and config ConfigMap names configurable
  via [kubernetes] config section (previously hardcoded to "ingress")
- Add CSIC 2010 dataset converter and auto-download for scanner training
- Unify Dockerfile for local and production builds (remove cross-compile path)
- Bake ML models directory into container image
- Update CSIC dataset URL to self-hosted mirror (src.sunbeam.pt)
- Fix rate_limit pipeline log missing fields
- Consolidate docs/README.md into root README.md

Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>

src/config.rs

@@ -24,8 +24,38 @@ pub struct Config {
     pub rate_limit: Option<RateLimitConfig>,
     /// Optional per-request scanner detection.
     pub scanner: Option<ScannerConfig>,
+    /// Kubernetes resource names and namespaces for watchers.
+    #[serde(default)]
+    pub kubernetes: KubernetesConfig,
 }
 
+#[derive(Debug, Deserialize, Clone)]
+pub struct KubernetesConfig {
+    /// Namespace where the proxy's resources live (Secret, ConfigMap, Ingresses).
+    #[serde(default = "default_k8s_namespace")]
+    pub namespace: String,
+    /// Name of the TLS Secret watched for cert hot-reload.
+    #[serde(default = "default_tls_secret")]
+    pub tls_secret: String,
+    /// Name of the ConfigMap watched for config hot-reload.
+    #[serde(default = "default_config_configmap")]
+    pub config_configmap: String,
+}
+
+impl Default for KubernetesConfig {
+    fn default() -> Self {
+        Self {
+            namespace: default_k8s_namespace(),
+            tls_secret: default_tls_secret(),
+            config_configmap: default_config_configmap(),
+        }
+    }
+}
+
+fn default_k8s_namespace() -> String { "ingress".to_string() }
+fn default_tls_secret() -> String { "pingora-tls".to_string() }
+fn default_config_configmap() -> String { "pingora-config".to_string() }
+
 #[derive(Debug, Deserialize, Clone)]
 pub struct DDoSConfig {
     pub model_path: String,