feat: bring up local dev stack — all services running

- Ory Hydra + Kratos: fixed secret management, DSN config, DB migrations,
  OAuth2Client CRD (helm template skips crds/ dir), login-ui env vars
- SeaweedFS: added s3.json credentials file via -s3.config CLI flag
- OpenBao: standalone mode with auto-unseal sidecar, keys in K8s secret
- OpenSearch: increased memory to 1.5Gi / JVM 1g heap
- Gitea: SSL_MODE disable, S3 bucket creation fixed
- Hive: automountServiceAccountToken: false (Lima virtiofs read-only rootfs quirk)
- LiveKit: API keys in values, hostPort conflict resolved
- Linkerd: native sidecar (proxy.nativeSidecar=true) to avoid blocking Jobs
- All placeholder images replaced: pingora→nginx:alpine, login-ui→oryd/kratos-selfservice-ui-node

Full stack running: postgres, valkey, openbao, opensearch, seaweedfs,
kratos, hydra, gitea, livekit, hive (placeholder), login-ui

base/data/kustomization.yaml

@@ -10,12 +10,20 @@ resources:
   - valkey-service.yaml
   - opensearch-deployment.yaml
   - opensearch-service.yaml
+  - openbao-keys-placeholder.yaml
 
 helmCharts:
   # helm repo add cnpg https://cloudnative-pg.github.io/charts
-  # releaseName=cloudnative-pg matches chart name → operator Deployment is named `cloudnative-pg`
   - name: cloudnative-pg
     repo: https://cloudnative-pg.github.io/charts
     version: "0.27.1"
     releaseName: cloudnative-pg
     namespace: data
+
+  # helm repo add openbao https://openbao.github.io/openbao-helm
+  - name: openbao
+    repo: https://openbao.github.io/openbao-helm
+    version: "0.25.6"
+    releaseName: openbao
+    namespace: data
+    valuesFile: openbao-values.yaml

base/data/openbao-keys-placeholder.yaml

@@ -0,0 +1,9 @@
+# Placeholder secret — replaced by the init script after `bao operator init`.
+# Exists so the auto-unseal sidecar's volume mount doesn't block pod startup.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: openbao-keys
+  namespace: data
+type: Opaque
+data: {}

base/data/openbao-values.yaml

@@ -0,0 +1,78 @@
+# OpenBao Helm values — standalone single-instance mode.
+# Root token + unseal key stored in K8s secret `openbao-keys` (created by init script).
+
+global:
+  tlsDisable: true
+
+injector:
+  enabled: true
+  agentDefaults:
+    cpuLimit: "250m"
+    cpuRequest: "50m"
+    memLimit: "64Mi"
+    memRequest: "32Mi"
+
+server:
+  image:
+    registry: quay.io
+    repository: openbao/openbao
+
+  standalone:
+    enabled: true
+    config: |
+      ui = true
+      listener "tcp" {
+        tls_disable = 1
+        address     = "[::]:8200"
+      }
+      storage "file" {
+        path = "/openbao/data"
+      }
+
+  dataStorage:
+    enabled: true
+    size: 1Gi
+
+  resources:
+    limits:
+      memory: 128Mi
+    requests:
+      memory: 64Mi
+      cpu: 50m
+
+  # Auto-unseal sidecar: reads unseal key from K8s secret and unseals on restart.
+  extraContainers:
+    - name: auto-unseal
+      image: quay.io/openbao/openbao
+      command: ["/bin/sh", "-c"]
+      args:
+        - |
+          export BAO_ADDR=http://127.0.0.1:8200
+          echo "auto-unseal: waiting for openbao to start..."
+          until bao status -format=json 2>/dev/null; do sleep 2; done
+          while true; do
+            if [ -f /openbao/unseal/key ]; then
+              SEALED=$(bao status -format=json 2>/dev/null | grep '"sealed"' | grep -c 'true')
+              if [ "$SEALED" = "1" ]; then
+                echo "auto-unseal: unsealing..."
+                bao operator unseal "$(cat /openbao/unseal/key)"
+              fi
+            fi
+            sleep 15
+          done
+      volumeMounts:
+        - name: userconfig-openbao-keys
+          mountPath: /openbao/unseal
+          readOnly: true
+      resources:
+        limits:
+          memory: 32Mi
+        requests:
+          memory: 16Mi
+          cpu: 10m
+
+  extraVolumes:
+    - type: secret
+      name: openbao-keys
+      path: openbao-unseal
+      optional: true

base/data/opensearch-deployment.yaml

@@ -33,12 +33,12 @@ spec:
             - name: discovery.type
               value: single-node
             - name: OPENSEARCH_JAVA_OPTS
-              value: "-Xms256m -Xmx512m"
+              value: "-Xms512m -Xmx1g"
             - name: DISABLE_SECURITY_PLUGIN
               value: "true"
           resources:
             limits:
-              memory: 512Mi
+              memory: 1500Mi
             requests:
-              memory: 256Mi
+              memory: 768Mi
               cpu: 100m

base/data/postgres-cluster.yaml

@@ -19,26 +19,27 @@ spec:
       secret:
         name: postgres-superuser
       postInitSQL:
-        # Create all 10 logical databases and their owners
-        - CREATE USER kratos;
+        # Create all 10 logical databases and their owners.
+        # Passwords are set by the seed-secrets script via ALTER USER after init.
+        - CREATE USER kratos WITH LOGIN;
         - CREATE DATABASE kratos_db OWNER kratos;
-        - CREATE USER hydra;
+        - CREATE USER hydra WITH LOGIN;
         - CREATE DATABASE hydra_db OWNER hydra;
-        - CREATE USER docs;
+        - CREATE USER docs WITH LOGIN;
         - CREATE DATABASE docs_db OWNER docs;
-        - CREATE USER meet;
+        - CREATE USER meet WITH LOGIN;
         - CREATE DATABASE meet_db OWNER meet;
-        - CREATE USER drive;
+        - CREATE USER drive WITH LOGIN;
         - CREATE DATABASE drive_db OWNER drive;
-        - CREATE USER messages;
+        - CREATE USER messages WITH LOGIN;
         - CREATE DATABASE messages_db OWNER messages;
-        - CREATE USER conversations;
+        - CREATE USER conversations WITH LOGIN;
         - CREATE DATABASE conversations_db OWNER conversations;
-        - CREATE USER people;
+        - CREATE USER people WITH LOGIN;
         - CREATE DATABASE people_db OWNER people;
-        - CREATE USER gitea;
+        - CREATE USER gitea WITH LOGIN;
         - CREATE DATABASE gitea_db OWNER gitea;
-        - CREATE USER hive;
+        - CREATE USER hive WITH LOGIN;
         - CREATE DATABASE hive_db OWNER hive;
 
   storage: