Add Portworx + OpenShift Virtualization collector and policy checks

[phenixblue]

Summary

Introduces a new end-to-end collector (portworx-kubevirt) that scans a cluster running Portworx Enterprise with OpenShift Virtualization (KubeVirt) and evaluates it against the Portworx Best Practices Guide for OpenShift Virtualization. Adds 24 policy checks covering storage configuration, component versions, cluster health, and VM disk configuration.

---

What's new

Collector (examples/collectors/portworx-kubevirt/)

• collect.py — in-cluster Python script that queries the Kubernetes API to snapshot:
  • Portworx StorageClasses, StorageProfiles, StorageClusters (via CRD)
  • PVCs labelled portworx.io/app=kubevirt
  • KubeVirt VirtualMachines with per-disk block size details
  • Component versions: OCP (ClusterVersion CRD), OSV/KubeVirt operator (HyperConverged CR), MTV/Forklift, virt-v2v, PX-Backup
  • Full pxctl status --json output via WebSocket exec into a running Portworx pod
• metadata.json — collector manifest with RBAC rules for all required API groups
• policy.rego — 24 OPA checks across 4 categories (77 tests, all passing):

#	Check	Severity
1	Collector data present	info/error
2–3	StorageClass exists; replication factor ≥ 3	info/error
4–6	StorageClass binding mode, volume expansion, sharedv4	info/error/warning
7	nodiscard=true on default KubeVirt StorageClass	info/error
8	StorageProfile claim property sets	info/error
9	PVC access mode (ReadWriteMany) and volume mode (Block)	info/error
10–12	Portworx Enterprise, Operator, Stork minimum versions (3.5.2 / 25.5.2 / 26.1.0)	info/error/warning
13	Portworx cluster status OK	info/error
14	License validity and days remaining	info/error/warning
15–16	Global and per-node pool utilisation	info/warning
17	storev2 metadata volume present	info/warning
18	Node health (storage status and metadata device)	info/error/warning
19	Non-root VM disk block sizes (4096/4096)	info/warning
20–24	OCP, OSV, MTV/Forklift, virt-v2v, PX-Backup minimum versions	info/error (skip if not installed)

Framework enhancements (internal/)

• collector/rbac.go — dynamic ClusterRole/ClusterRoleBinding creation from collector metadata.json rules
• collector/script_configmap.go — ConfigMap-mounted scripts so collect.py is not baked into the image
• collector/job_collector.go — scope-aware Job orchestration (once-per-cluster vs per-node)
• config/config.go — YAML config file support (~/.config/kvirtbp/config.yaml or ./config.yaml), auto-generated on first run; supports engine, output, timeout, exclude_checks
• checks/filter.go — --check foo- trailing-dash syntax to exclude individual checks alongside the existing --check foo include syntax
• cli/scan.go — --engine flag respects config file when not explicitly set on the command line
• report/table.go — long message word-wrapping in table output

E2E lab scripts

• scripts/e2e_kind_px_kubevirt.sh — kind-based lab: provisions a full PX + KubeVirt stack for local testing
• scripts/e2e_k3s_px_kubevirt.sh — k3d/k3s variant

---

Testing

• 77/77 OPA unit tests pass (opa test examples/collectors/portworx-kubevirt/)
• go build ./... clean
• E2E scripts validated against kind and k3d clusters

---

Checklist

• OPA tests cover pass, fail, skip, and unknown cases for every check
• Component version checks skip gracefully when the component is not installed
• RBAC rules in metadata.json cover all API groups accessed by collect.py
• Config file auto-generated with documented defaults on first run
• No breaking changes to existing collectors or CLI flags