feat: add tuwunel/matrix support with OpenSearch ML post-apply hooks

- Add matrix to MANAGED_NS and tuwunel to restart/build targets
- Add post-apply hooks for matrix namespace:
  - _patch_tuwunel_oauth2_redirect: reads client_id from hydra-maester
    Secret and patches OAuth2Client redirectUris dynamically
  - _inject_opensearch_model_id: reads model_id from ingest pipeline
    and writes to ConfigMap for tuwunel deployment env var injection
- Add post-apply hook for data namespace:
  - _ensure_opensearch_ml: idempotently registers/deploys all-mpnet-base-v2
    (768-dim) model, creates ingest + hybrid search pipelines
- Add tuwunel secrets to OpenBao seed (OIDC, TURN, registration token)
- Refactor secret seeding to only write dirty paths (avoid VSO churn)
- Add ACME email fallback from config when not provided via CLI flag

sunbeam/services.py

@@ -8,8 +8,8 @@ from sunbeam.kube import kube, kube_out, parse_target
 from sunbeam.tools import ensure_tool
 from sunbeam.output import step, ok, warn, die
 
-MANAGED_NS = ["data", "devtools", "ingress", "lasuite", "media", "ory", "storage",
-              "vault-secrets-operator"]
+MANAGED_NS = ["data", "devtools", "ingress", "lasuite", "matrix", "media", "ory",
+              "storage", "vault-secrets-operator"]
 
 SERVICES_TO_RESTART = [
     ("ory",      "hydra"),
@@ -22,6 +22,7 @@ SERVICES_TO_RESTART = [
     ("lasuite",  "people-frontend"),
     ("lasuite",  "people-celery-worker"),
     ("lasuite",  "people-celery-beat"),
+    ("matrix",   "tuwunel"),
     ("media",    "livekit-server"),
 ]
 
@@ -186,8 +187,9 @@ def cmd_logs(target: str, follow: bool):
     if not name:
         die("Logs require a service name, e.g. 'ory/kratos'.")
 
+    _kube_mod.ensure_tunnel()
     kubectl = str(ensure_tool("kubectl"))
-    cmd = [kubectl, "--context=sunbeam", "-n", ns, "logs",
+    cmd = [kubectl, _kube_mod.context_arg(), "-n", ns, "logs",
            "-l", f"app={name}", "--tail=100"]
     if follow:
         cmd.append("--follow")