feat(infra): production bootstrap — cert-manager, longhorn, monitoring

Add new bases for cert-manager (Let's Encrypt + wildcard cert), Longhorn
distributed storage, and monitoring (kube-prometheus-stack + Loki + Tempo
+ Grafana OIDC). Add cloud-init for Scaleway Elastic Metal provisioning.

Production overlay: add patches for postgres sizing, SeaweedFS volume,
OpenSearch storage, LiveKit service, Pingora host ports, resource limits,
and CNPG daily barman backups. Update cert-manager.yaml with full dnsNames
for all *.sunbeam.pt subdomains.

overlays/production/values-resources.yaml

@@ -0,0 +1,293 @@
+# Production resource limits — Scaleway Elastic Metal, 12 cores, 64 GiB RAM.
+# ~10 GiB reserved for OS + k3s + Linkerd mesh overhead.
+# Replicas scaled up for production workloads.
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: meet-celery-worker
+  namespace: lasuite
+spec:
+  template:
+    spec:
+      containers:
+        - name: meet-celery-worker
+          resources:
+            requests:
+              memory: 256Mi
+              cpu: 100m
+            limits:
+              memory: 1Gi
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cloudnative-pg
+  namespace: data
+spec:
+  template:
+    spec:
+      containers:
+        - name: manager
+          resources:
+            requests:
+              memory: 256Mi
+              cpu: 100m
+            limits:
+              memory: 512Mi
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: livekit-server
+  namespace: media
+spec:
+  template:
+    spec:
+      containers:
+        - name: livekit-server
+          resources:
+            requests:
+              memory: 512Mi
+              cpu: 500m
+            limits:
+              memory: 2Gi
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pingora
+  namespace: ingress
+spec:
+  template:
+    spec:
+      containers:
+        - name: pingora
+          resources:
+            requests:
+              memory: 128Mi
+              cpu: 250m
+            limits:
+              memory: 512Mi
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: valkey
+  namespace: data
+spec:
+  template:
+    spec:
+      containers:
+        - name: valkey
+          resources:
+            requests:
+              memory: 128Mi
+              cpu: 50m
+            limits:
+              memory: 512Mi
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: opensearch
+  namespace: data
+spec:
+  template:
+    spec:
+      containers:
+        - name: opensearch
+          env:
+            - name: OPENSEARCH_JAVA_OPTS
+              value: "-Xms2g -Xmx4g"
+          resources:
+            requests:
+              memory: 2Gi
+              cpu: 500m
+            limits:
+              memory: 5Gi
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: seaweedfs-filer
+  namespace: storage
+spec:
+  template:
+    spec:
+      containers:
+        - name: filer
+          resources:
+            requests:
+              memory: 256Mi
+              cpu: 100m
+            limits:
+              memory: 1Gi
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hydra-hydra-maester
+  namespace: ory
+spec:
+  template:
+    spec:
+      containers:
+        - name: hydra-maester
+          resources:
+            requests:
+              memory: 32Mi
+              cpu: 25m
+            limits:
+              memory: 128Mi
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: login-ui
+  namespace: ory
+spec:
+  template:
+    spec:
+      containers:
+        - name: login-ui
+          resources:
+            requests:
+              memory: 128Mi
+              cpu: 50m
+            limits:
+              memory: 384Mi
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hive
+  namespace: lasuite
+spec:
+  template:
+    spec:
+      containers:
+        - name: hive
+          resources:
+            requests:
+              memory: 64Mi
+            limits:
+              memory: 256Mi
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: people-backend
+  namespace: lasuite
+spec:
+  replicas: 2
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: people-celery-worker
+  namespace: lasuite
+spec:
+  replicas: 2
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: people-frontend
+  namespace: lasuite
+spec:
+  replicas: 2
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: docs-celery-worker
+  namespace: lasuite
+spec:
+  replicas: 2
+  template:
+    spec:
+      containers:
+        - name: docs
+          env:
+            - name: CELERY_WORKER_CONCURRENCY
+              value: "4"
+          resources:
+            requests:
+              memory: 512Mi
+              cpu: 250m
+            limits:
+              memory: 1Gi
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: docs-backend
+  namespace: lasuite
+spec:
+  replicas: 2
+  template:
+    spec:
+      containers:
+        - name: docs
+          env:
+            - name: WEB_CONCURRENCY
+              value: "4"
+          resources:
+            requests:
+              memory: 512Mi
+              cpu: 250m
+            limits:
+              memory: 1Gi
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: docs-frontend
+  namespace: lasuite
+spec:
+  replicas: 2
+  template:
+    spec:
+      containers:
+        - name: docs
+          resources:
+            requests:
+              memory: 64Mi
+            limits:
+              memory: 256Mi
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: docs-y-provider
+  namespace: lasuite
+spec:
+  replicas: 1
+  template:
+    spec:
+      containers:
+        - name: docs
+          resources:
+            requests:
+              memory: 256Mi
+              cpu: 100m
+            limits:
+              memory: 1Gi