fix: meet external-api route, drive media proxy, alertbot, misc tweaks

- Meet: add external-api backend path, CSRF trusted origins
- Drive: fix media proxy regex for preview URLs and S3 key signing
- OpenBao: enable Prometheus telemetry
- Postgres alerts: fix metric name (cnpg_backends_total)
- Gitea: bump memory limits for mirror workloads
- Alertbot: expanded deployment config
- Kratos: add find/cal/projects to allowed return URLs, settings path
- Pingora: meet external-api route fix
- Sol: config update

base/lasuite/shared-config.yaml

@@ -61,3 +61,19 @@ data:
   OIDC_RP_SIGN_ALGO:              RS256
   OIDC_RP_SCOPES:                 openid email profile
   OIDC_VERIFY_SSL:                "true"
+---
+# Resource server config — shared by all La Suite services.
+# Enables bearer token auth via Hydra token introspection for the external_api.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: lasuite-resource-server
+  namespace: lasuite
+data:
+  OIDC_RESOURCE_SERVER_ENABLED: "True"
+  OIDC_OP_URL: https://auth.DOMAIN_SUFFIX/
+  OIDC_OP_INTROSPECTION_ENDPOINT: http://hydra-admin.ory.svc.cluster.local:4445/admin/oauth2/introspect
+  # Audience claim value for the sunbeam CLI. All La Suite services should
+  # include this in OIDC_RS_ALLOWED_AUDIENCES so the CLI can access their
+  # external APIs with an SSO bearer token.
+  OIDC_RS_CLI_AUDIENCE: sunbeam-cli