feat(infra): Meet integration, La Suite theming, Pingora SSH + meet routes

Meet: add backend/frontend/celery deployments and services, meet-config
ConfigMap, nginx SPA config, VSO secrets (meet-db-credentials VDS,
meet-django-secret and meet-livekit VSS). Wire oidc-meet OAuth2Client.

La Suite overlay discipline: move people/docs frontend nginx ConfigMaps
and patches from overlays/local to base so both environments share them.
Remove values-ory.yaml (folded into base). Add docs-frontend nginx config
with sub_filter theming. Add local gitea mkcert CA patch.

Pingora: add [ssh] TCP passthrough block (port 22 → Gitea SSH pod) and
split meet route into frontend default + backend paths for /api/, /admin/,
/oidc/, /static/, /__. Remove now-unused values-pingora.yaml from production
overlay (host ports moved to patch-pingora-hostport.yaml).

Update both overlay kustomizations to reference all new resources and
add meet-backend/meet-frontend image entries.

base/ingress/kustomization.yaml

@@ -9,3 +9,8 @@ resources:
   - pingora-deployment.yaml
   - pingora-service.yaml
   - pingora-config.yaml
+
+images:
+  - name: sunbeam-proxy
+    newName: src.DOMAIN_SUFFIX/studio/proxy
+    newTag: latest

base/ingress/pingora-config.yaml

@@ -58,9 +58,29 @@ data:
 
     [[routes]]
     host_prefix = "meet"
-    backend     = "http://meet.lasuite.svc.cluster.local:8000"
+    backend     = "http://meet-frontend.lasuite.svc.cluster.local:80"
     websocket   = true
 
+      [[routes.paths]]
+      prefix  = "/api/"
+      backend = "http://meet-backend.lasuite.svc.cluster.local:80"
+
+      [[routes.paths]]
+      prefix  = "/admin/"
+      backend = "http://meet-backend.lasuite.svc.cluster.local:80"
+
+      [[routes.paths]]
+      prefix  = "/oidc/"
+      backend = "http://meet-backend.lasuite.svc.cluster.local:80"
+
+      [[routes.paths]]
+      prefix  = "/static/"
+      backend = "http://meet-backend.lasuite.svc.cluster.local:80"
+
+      [[routes.paths]]
+      prefix  = "/__"
+      backend = "http://meet-backend.lasuite.svc.cluster.local:80"
+
     [[routes]]
     host_prefix = "drive"
     backend     = "http://drive.lasuite.svc.cluster.local:8000"
@@ -131,6 +151,16 @@ data:
     host_prefix = "integration"
     backend     = "http://integration.lasuite.svc.cluster.local:80"
 
+
+    [[routes]]
+    host_prefix = "grafana"
+    backend     = "http://kube-prometheus-stack-grafana.monitoring.svc.cluster.local:80"
+
     [[routes]]
     host_prefix = "s3"
     backend     = "http://seaweedfs-filer.storage.svc.cluster.local:8333"
+
+    # SSH TCP passthrough: port 22 → Gitea SSH pod (headless service → pod:2222).
+    [ssh]
+    listen  = "0.0.0.0:22"
+    backend = "gitea-ssh.devtools.svc.cluster.local:2222"

base/ingress/pingora-deployment.yaml

@@ -23,6 +23,7 @@ spec:
       containers:
         - name: pingora
           image: sunbeam-proxy:latest   # overridden per overlay via kustomize images:
+          imagePullPolicy: IfNotPresent  # pre-seeded into containerd; avoids pull deadlock on startup
           ports:
             - name: http
               containerPort: 80
@@ -30,6 +31,9 @@ spec:
             - name: https
               containerPort: 443
               protocol: TCP
+            - name: ssh
+              containerPort: 22
+              protocol: TCP
             - name: turn-udp
               containerPort: 3478
               protocol: UDP