feat(infra): production bootstrap — cert-manager, longhorn, monitoring

Add new bases for cert-manager (Let's Encrypt + wildcard cert), Longhorn
distributed storage, and monitoring (kube-prometheus-stack + Loki + Tempo
+ Grafana OIDC). Add cloud-init for Scaleway Elastic Metal provisioning.

Production overlay: add patches for postgres sizing, SeaweedFS volume,
OpenSearch storage, LiveKit service, Pingora host ports, resource limits,
and CNPG daily barman backups. Update cert-manager.yaml with full dnsNames
for all *.sunbeam.pt subdomains.

base/monitoring/vault-secrets.yaml

@@ -0,0 +1,36 @@
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vso-auth
+  namespace: monitoring
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: vso
+    serviceAccount: default
+---
+# Grafana admin password from OpenBao KV at secret/grafana.
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: grafana-admin
+  namespace: monitoring
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: grafana
+  refreshAfter: 30s
+  destination:
+    name: grafana-admin
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        admin-password:
+          text: "{{ index .Secrets \"admin-password\" }}"
+        admin-user:
+          text: "admin"