fix(local): kustomize render passes cleanly

- Remove base/mesh from local overlay (Linkerd installed via CLI in local-up.sh)
- Fix LiveKit namespace: chart doesn't set .Release.Namespace, add explicit patches
- Fix release names: livekit-server and cloudnative-pg match chart names (avoid double-prefix)
- Disable hydra-maester (not needed for local dev)
- Add memory limits for cloudnative-pg operator and livekit-server deployments
- Remove non-functional values-ory.yaml patch (DOMAIN_SUFFIX handled by sed in local-up.sh)
- Gitignore **/charts/ (kustomize helm cache, generated artifact)

.gitignore

@@ -2,3 +2,5 @@ secrets/local/
 *.pem
 *-key.pem
 .DS_Store
+# kustomize helm chart download cache
+**/charts/

base/data/kustomization.yaml

@@ -12,10 +12,10 @@ resources:
   - opensearch-service.yaml
 
 helmCharts:
-  # CloudNativePG operator — chart name: cloudnative-pg
   # helm repo add cnpg https://cloudnative-pg.github.io/charts
+  # releaseName=cloudnative-pg matches chart name → operator Deployment is named `cloudnative-pg`
   - name: cloudnative-pg
     repo: https://cloudnative-pg.github.io/charts
     version: "0.27.1"
-    releaseName: cnpg
+    releaseName: cloudnative-pg
     namespace: data

base/media/kustomization.yaml

@@ -7,11 +7,45 @@ resources:
   - namespace.yaml
 
 helmCharts:
-  # chart name is `livekit-server`, not `livekit-helm`
   # helm repo add livekit https://helm.livekit.io
+  # releaseName=livekit-server matches chart name → Helm deduplicates the prefix,
+  # so resources are named `livekit-server` instead of `livekit-livekit-server`.
   - name: livekit-server
     repo: https://helm.livekit.io
     version: "1.9.0"
-    releaseName: livekit
+    releaseName: livekit-server
     namespace: media
     valuesFile: livekit-values.yaml
+
+# The livekit-server chart does not set .Release.Namespace in its templates,
+# so kustomize's namespace field doesn't inject it automatically.
+# Patch namespace onto each chart-rendered resource explicitly.
+patches:
+  - patch: |
+      - op: add
+        path: /metadata/namespace
+        value: media
+    target:
+      kind: Deployment
+      name: livekit-server
+  - patch: |
+      - op: add
+        path: /metadata/namespace
+        value: media
+    target:
+      kind: Service
+      name: livekit-server
+  - patch: |
+      - op: add
+        path: /metadata/namespace
+        value: media
+    target:
+      kind: Service
+      name: livekit-server-turn
+  - patch: |
+      - op: add
+        path: /metadata/namespace
+        value: media
+    target:
+      kind: ConfigMap
+      name: livekit-server

base/ory/hydra-values.yaml

@@ -2,6 +2,11 @@
 # DOMAIN_SUFFIX is replaced by overlay patches.
 # DSN and system secrets come from the overlay-specific Secret.
 
+# Disable the maester controller — it manages OAuth2Client CRDs which we don't use locally.
+# OAuth2 clients are registered directly via the Hydra admin API.
+maester:
+  enabled: false
+
 hydra:
   config:
     dsn: "postgresql://hydra:$(HYDRA_DB_PASSWORD)@postgres-rw.data.svc.cluster.local:5432/hydra_db"

overlays/local/kustomization.yaml

@@ -3,9 +3,15 @@ kind: Kustomization
 
 # Local dev overlay — targets Lima VM running k3s on macOS
 # Deploy with: kubectl apply -k overlays/local/
+#
+# NOTE: base/mesh (Linkerd) is excluded here. Linkerd is bootstrapped
+# separately by scripts/local-up.sh via the Linkerd CLI, which avoids
+# the identity cert bootstrapping problem at kustomize render time.
+#
+# DOMAIN_SUFFIX substitution: local-up.sh pipes `kustomize build | sed` to
+# replace DOMAIN_SUFFIX with <LIMA_IP>.sslip.io before kubectl apply.
 
 resources:
-  - ../../base/mesh
   - ../../base/ingress
   - ../../base/ory
   - ../../base/data
@@ -15,23 +21,11 @@ resources:
   - ../../base/devtools
 
 patches:
-  # sslip.io domain suffix derived from Lima VM IP
-  - path: values-domain.yaml
-    target:
-      kind: ConfigMap
-      name: pingora-config
-
-  # Disable rustls-acme; mount mkcert cert; enable hostPort for Lima
+  # Disable rustls-acme; add hostPort for TURN relay range on Lima VM
   - path: values-pingora.yaml
     target:
       kind: Deployment
       name: pingora
 
-  # Swap redirect URIs to *.sslip.io for Kratos and Hydra
-  - path: values-ory.yaml
-    target:
-      kind: ConfigMap
-      labelSelector: "app.kubernetes.io/part-of=ory"
-
-  # Apply §10.7 memory limits across all Deployments
+  # Apply §10.7 memory limits to all Deployments
   - path: values-resources.yaml

overlays/local/values-resources.yaml

@@ -3,6 +3,36 @@
 #
 # Applied as a strategic merge patch. Each stanza targets one Deployment by name.
 
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cloudnative-pg
+  namespace: data
+spec:
+  template:
+    spec:
+      containers:
+        - name: manager
+          resources:
+            limits:
+              memory: 256Mi
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: livekit-server
+  namespace: media
+spec:
+  template:
+    spec:
+      containers:
+        - name: livekit-server
+          resources:
+            limits:
+              memory: 128Mi
+
 ---
 apiVersion: apps/v1
 kind: Deployment