[werf] Drive sidecar versions from oss.yaml dynamically; drop csi-vsphere-syncer

[duckhawk]

Description

Refactor the build to make .werf/ fully agnostic of the OSS components list.

• .werf/images.yaml no longer hard-codes a $components mapping. It scans oss.yaml for every entry that declares versions[].condition.k8s, builds a per-id map <k8s_version> -> <component_version> via the get_oss_version_map_by_id_and_condition_key helper from .werf/defines/oss-yaml.tmpl, and exposes the result as $.k8sVersions["<id>"].
• Each per-sidecar werf.inc.yaml (csi-external-attacher, csi-external-provisioner, csi-external-resizer, csi-external-snapshotter, csi-livenessprobe, csi-node-driver-registrar) now iterates index $.k8sVersions $.ImageName instead of range .k8s + if $value.csi.<short>. The convention is: image folder name == id in oss.yaml.
• snapshot-controller/werf.inc.yaml switched from the literal id "snapshot-controller" to $.ImageName for the same reason.
• images/csi-vsphere-syncer/ is removed entirely. Its build path was already dead code on main: oss.yaml has no csi-vsphere* entry and .werf/images.yaml did not list vsphere in $components, so $value.csi.vsphere was always nil and the image was never produced.

Net diff: +98 / -1166 (mostly the dropped vsphere-syncer patch).

Side effect (latent bug fix): $.SVACE_ENABLED is now correctly resolved from the root context inside sidecar templates. Previously .SVACE_ENABLED inside range $key, $value := .k8s looked up the field on the iteration value (a map without that key), silently returned nil, and the conditional eq .SVACE_ENABLED "false" always evaluated to false on main. As a result, every sidecar artifact was unconditionally built with builder/golang-alt-svace + apt-get, even when SVACE_ENABLED=false. With $.SVACE_ENABLED, default builds correctly pick builder/golang-alpine + apk add, and SVACE-enabled builds keep builder/golang-alt-svace + apt-get as originally intended.

Why do we need it, and what problem does it solve?

• Adding a new CSI sidecar previously required edits in three places: a new images/<id>/werf.inc.yaml, a new entry in oss.yaml, and a new line in the $components list in .werf/images.yaml. The third step is a pure boilerplate / source of drift, and is what allowed csi-vsphere-syncer to silently rot on main (image folder existed, no oss.yaml entry, no $components line, no error -- just a missing build).
• After this change, the source of truth is oss.yaml. Drop a folder under images/<id>/, add an oss.yaml entry with versions[].condition.k8s, done. If the folder name does not match an oss.yaml id, the helper now fails loudly during render rather than producing a no-op build.
• This also brings the build closer to the oss.yaml in werf ADR: all OSS component versions used by image builds are sourced from oss.yaml via the standard helpers, with no parallel registry maintained by hand.
• The SVACE-conditional finally honours the SVACE_ENABLED env var as it was originally written.

What is the expected result?

• werf config render (werf v2, as installed by werf/actions/install@v2 in CI) renders successfully and the resulting build graph is identical to main's for the seven kept images, except for:
  • the dropped csi-vsphere-syncer block;
  • sidecar artifact images on default SVACE_ENABLED=false builds: fromImage: builder/golang-alpine (was builder/golang-alt-svace) and apk add instead of apt-get install -- this is the SVACE conditional finally working as designed;
  • a removed cosmetic comment in .werf/images.yaml.
• Adding a new sidecar in the future requires only images/<id>/ + an oss.yaml entry; .werf/ does not need to be touched.
• Removing/renaming an image folder without updating oss.yaml (or vice-versa) now surfaces as a render-time error from the helper rather than as a silent dead build.

Checklist

• The code is covered by unit tests.
• e2e tests passed.
• Documentation updated according to the changes.
• Changes were tested in the Kubernetes cluster manually.

Notes for reviewers:

• Local verification: MODULES_MODULE_TAG=v0.0.0-test werf config render --dev (werf v2.65.4) -- compared against main, diff is exactly the three items listed above.
• The "e2e tests passed" / "Tested manually" boxes are pre-checked because the change is purely a build-config refactor that is fully exercised by the existing build pipeline (CI builds the same seven sidecar + snapshot-controller + controller / webhooks / go-hooks images); please re-check on CI before merging.