feat: La Suite email/messages, buildkitd, monitoring, vault and storage updates

- Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS
  proxy, worker, DKIM config, and theme customization
- Add Collabora deployment for document collaboration
- Add Drive frontend nginx config and values
- Add buildkitd namespace for in-cluster container builds
- Add SeaweedFS remote sync and additional S3 buckets
- Update vault secrets across namespaces (devtools, lasuite, media,
  monitoring, ory, storage) with expanded credential management
- Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus
  remote write and additional scrape configs
- Update local/production overlays with resource patches
- Remove stale login-ui resource patch from production overlay

base/lasuite/messages-config.yaml

@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: messages-config
+  namespace: lasuite
+data:
+  DJANGO_CONFIGURATION:          Production
+  DJANGO_SETTINGS_MODULE:        messages.settings
+  DJANGO_ALLOWED_HOSTS:          mail.DOMAIN_SUFFIX,messages-backend.lasuite.svc.cluster.local
+  ALLOWED_HOSTS:                 mail.DOMAIN_SUFFIX,messages-backend.lasuite.svc.cluster.local
+  DJANGO_CSRF_TRUSTED_ORIGINS:   https://mail.DOMAIN_SUFFIX
+  DB_NAME:                       messages_db
+  DB_USER:                       messages
+  OPENSEARCH_URL:                http://opensearch.data.svc.cluster.local:9200
+  MDA_API_BASE_URL:              http://messages-backend.lasuite.svc.cluster.local:80/api/v1.0/
+  MYHOSTNAME:                    mail.DOMAIN_SUFFIX
+  # rspamd URL (auth token injected separately from messages-mpa-credentials secret)
+  SPAM_RSPAMD_URL:               http://messages-mpa.lasuite.svc.cluster.local:8010/_api
+  MESSAGES_FRONTEND_BACKEND_SERVER: messages-backend.lasuite.svc.cluster.local:80
+  STORAGE_MESSAGE_IMPORTS_BUCKET_NAME:  sunbeam-messages-imports
+  STORAGE_MESSAGE_IMPORTS_ENDPOINT_URL: http://seaweedfs-filer.storage.svc.cluster.local:8333
+  AWS_STORAGE_BUCKET_NAME:       sunbeam-messages
+  IDENTITY_PROVIDER:             oidc
+  FRONTEND_THEME:                default
+  DRIVE_BASE_URL:                https://drive.DOMAIN_SUFFIX
+  LOGIN_REDIRECT_URL:            https://mail.DOMAIN_SUFFIX
+  LOGOUT_REDIRECT_URL:           https://mail.DOMAIN_SUFFIX
+  OIDC_REDIRECT_ALLOWED_HOSTS:   '["https://auth.DOMAIN_SUFFIX"]'
+  MTA_OUT_MODE:                  direct
+  # Create user accounts on first OIDC login (required — no pre-provisioning)
+  OIDC_CREATE_USER:              "True"
+  # Redirect to home on auth failure (avoids HttpResponseRedirect(None) → /callback/None 404)
+  LOGIN_REDIRECT_URL_FAILURE:    https://mail.DOMAIN_SUFFIX
+  # Store OIDC tokens in session so the Drive integration can proxy requests on behalf of the user.
+  OIDC_STORE_ACCESS_TOKEN:       "True"
+  OIDC_STORE_REFRESH_TOKEN:      "True"
+  # Session lives 7 days — long enough to survive overnight/weekend without re-auth.
+  # Default is 43200 (12h) which forces a login after a browser restart.
+  SESSION_COOKIE_AGE:            "604800"
+  # Renew the id token 60 s before it expires (access_token TTL = 1h).
+  # Without this the default falls back to SESSION_COOKIE_AGE (7 days), which means
+  # every request sees the 1h token as "expiring within 7 days" and triggers a
+  # prompt=none renewal on every page load — causing repeated auth loops.
+  OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS: "60"
+  # offline_access scope is set directly in the deployment env (overrides lasuite-oidc-provider envFrom).