fix(local): kustomize render passes cleanly

- Remove base/mesh from local overlay (Linkerd installed via CLI in local-up.sh)
- Fix LiveKit namespace: chart doesn't set .Release.Namespace, add explicit patches
- Fix release names: livekit-server and cloudnative-pg match chart names (avoid double-prefix)
- Disable hydra-maester (not needed for local dev)
- Add memory limits for cloudnative-pg operator and livekit-server deployments
- Remove non-functional values-ory.yaml patch (DOMAIN_SUFFIX handled by sed in local-up.sh)
- Gitignore **/charts/ (kustomize helm cache, generated artifact)

overlays/local/kustomization.yaml

@@ -3,9 +3,15 @@ kind: Kustomization
 
 # Local dev overlay — targets Lima VM running k3s on macOS
 # Deploy with: kubectl apply -k overlays/local/
+#
+# NOTE: base/mesh (Linkerd) is excluded here. Linkerd is bootstrapped
+# separately by scripts/local-up.sh via the Linkerd CLI, which avoids
+# the identity cert bootstrapping problem at kustomize render time.
+#
+# DOMAIN_SUFFIX substitution: local-up.sh pipes `kustomize build | sed` to
+# replace DOMAIN_SUFFIX with <LIMA_IP>.sslip.io before kubectl apply.
 
 resources:
-  - ../../base/mesh
   - ../../base/ingress
   - ../../base/ory
   - ../../base/data
@@ -15,23 +21,11 @@ resources:
   - ../../base/devtools
 
 patches:
-  # sslip.io domain suffix derived from Lima VM IP
-  - path: values-domain.yaml
-    target:
-      kind: ConfigMap
-      name: pingora-config
-
-  # Disable rustls-acme; mount mkcert cert; enable hostPort for Lima
+  # Disable rustls-acme; add hostPort for TURN relay range on Lima VM
   - path: values-pingora.yaml
     target:
       kind: Deployment
       name: pingora
 
-  # Swap redirect URIs to *.sslip.io for Kratos and Hydra
-  - path: values-ory.yaml
-    target:
-      kind: ConfigMap
-      labelSelector: "app.kubernetes.io/part-of=ory"
-
-  # Apply §10.7 memory limits across all Deployments
+  # Apply §10.7 memory limits to all Deployments
   - path: values-resources.yaml