feat(lasuite): add calendars service deployment manifests

Add K8s manifests for calendars backend, frontend (Caddy), CalDAV
server, and Celery worker. Wire Pingora routing for cal.sunbeam.pt
with path-based backend/caldav/static splits. Add OAuth2Client for
OIDC, VaultDynamicSecret for DB credentials, VaultStaticSecret for
Django/CalDAV keys, and TLS cert coverage for the cal subdomain.
Register calendars in the integration service gaufre widget.

overlays/local/kustomization.yaml

@@ -53,6 +53,17 @@ images:
     newName: src.DOMAIN_SUFFIX/studio/meet-frontend
     newTag: latest
 
+  # Calendars — built from source and pushed to Gitea registry.
+  - name: calendars-backend
+    newName: src.DOMAIN_SUFFIX/studio/calendars-backend
+    newTag: latest
+  - name: calendars-caldav
+    newName: src.DOMAIN_SUFFIX/studio/calendars-caldav
+    newTag: latest
+  - name: calendars-frontend
+    newName: src.DOMAIN_SUFFIX/studio/calendars-frontend
+    newTag: latest
+
 patches:
   # Disable SSL verification for OIDC server-side calls — mkcert CA not trusted in pods
   - path: patch-oidc-verify-ssl.yaml

overlays/production/cert-manager.yaml

@@ -70,3 +70,4 @@ spec:
     - admin.DOMAIN_SUFFIX
     - integration.DOMAIN_SUFFIX
     - livekit.DOMAIN_SUFFIX
+    - cal.DOMAIN_SUFFIX

overlays/production/kustomization.yaml

@@ -64,6 +64,17 @@ images:
     newName: src.DOMAIN_SUFFIX/studio/messages-socks-proxy
     newTag: latest
 
+  # Calendars — built from source and pushed to Gitea registry.
+  - name: calendars-backend
+    newName: src.DOMAIN_SUFFIX/studio/calendars-backend
+    newTag: latest
+  - name: calendars-caldav
+    newName: src.DOMAIN_SUFFIX/studio/calendars-caldav
+    newTag: latest
+  - name: calendars-frontend
+    newName: src.DOMAIN_SUFFIX/studio/calendars-frontend
+    newTag: latest
+
   # Tuwunel Matrix homeserver — built and pushed by `sunbeam build tuwunel`
   - name: tuwunel
     newName: src.DOMAIN_SUFFIX/studio/tuwunel