feat(ory): replace hardcoded DSN + secrets with OpenBao DB engine + VSO

All Ory service credentials now flow from OpenBao through VSO instead
of being hardcoded in Helm values or Deployment env vars.

Kratos:
- Remove config.dsn; flip secret.enabled=false with nameOverride pointing
  at kratos-app-secrets (a VSO-managed Secret with secretsDefault,
  secretsCookie, smtpConnectionURI).
- Inject DSN at runtime via deployment.extraEnv from kratos-db-creds
  (VaultDynamicSecret backed by OpenBao database static role, 24h rotation).

Hydra:
- Remove config.dsn; inject DSN via deployment.extraEnv from hydra-db-creds
  (VaultDynamicSecret, same rotation scheme).

Login UI:
- Replace hardcoded COOKIE_SECRET/CSRF_COOKIE_SECRET env var values with
  secretKeyRef reads from login-ui-secrets (VaultStaticSecret → secret/login-ui).

vault-secrets.yaml adds: VaultAuth, Hydra VSS, kratos-app-secrets VSS,
login-ui-secrets VSS, kratos-db-creds VDS, hydra-db-creds VDS.

base/ory/hydra-values.yaml

@@ -1,13 +1,12 @@
 # Base Ory Hydra Helm values.
 # DOMAIN_SUFFIX is replaced at apply time via sed.
 # secret.enabled: false — we create the "hydra" K8s Secret via seed script.
-# DSN is set in config (chart strips it from env, so must be in values).
+# DSN comes from env var via VaultDynamicSecret hydra-db-creds (database static role).
 
 hydra:
   automigration:
     enabled: true
   config:
-    dsn: "postgresql://hydra:localdev@postgres-rw.data.svc.cluster.local:5432/hydra_db?sslmode=disable"
     urls:
       self:
         issuer: https://auth.DOMAIN_SUFFIX/
@@ -37,6 +36,12 @@ hydra-maester:
     - lasuite
 
 deployment:
+  extraEnv:
+    - name: DSN
+      valueFrom:
+        secretKeyRef:
+          name: hydra-db-creds
+          key: dsn
   resources:
     limits:
       memory: 64Mi