feat: La Suite email/messages, buildkitd, monitoring, vault and storage updates

- Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS
  proxy, worker, DKIM config, and theme customization
- Add Collabora deployment for document collaboration
- Add Drive frontend nginx config and values
- Add buildkitd namespace for in-cluster container builds
- Add SeaweedFS remote sync and additional S3 buckets
- Update vault secrets across namespaces (devtools, lasuite, media,
  monitoring, ory, storage) with expanded credential management
- Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus
  remote write and additional scrape configs
- Update local/production overlays with resource patches
- Remove stale login-ui resource patch from production overlay

base/lasuite/vault-secrets.yaml

@@ -22,6 +22,33 @@ spec:
   type: kv-v2
   path: seaweedfs
   refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: hive
+    - kind: Deployment
+      name: people-backend
+    - kind: Deployment
+      name: people-celery-worker
+    - kind: Deployment
+      name: people-celery-beat
+    - kind: Deployment
+      name: docs-backend
+    - kind: Deployment
+      name: docs-celery-worker
+    - kind: Deployment
+      name: docs-y-provider
+    - kind: Deployment
+      name: drive-backend
+    - kind: Deployment
+      name: drive-backend-celery-default
+    - kind: Deployment
+      name: meet-backend
+    - kind: Deployment
+      name: meet-celery-worker
+    - kind: Deployment
+      name: messages-backend
+    - kind: Deployment
+      name: messages-worker
   destination:
     name: seaweedfs-s3-credentials
     create: true
@@ -70,6 +97,9 @@ spec:
   type: kv-v2
   path: hive
   refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: hive
   destination:
     name: hive-oidc
     create: true
@@ -122,6 +152,13 @@ spec:
   type: kv-v2
   path: people
   refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: people-backend
+    - kind: Deployment
+      name: people-celery-worker
+    - kind: Deployment
+      name: people-celery-beat
   destination:
     name: people-django-secret
     create: true
@@ -172,6 +209,13 @@ spec:
   type: kv-v2
   path: docs
   refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: docs-backend
+    - kind: Deployment
+      name: docs-celery-worker
+    - kind: Deployment
+      name: docs-y-provider
   destination:
     name: docs-django-secret
     create: true
@@ -193,6 +237,11 @@ spec:
   type: kv-v2
   path: docs
   refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: docs-backend
+    - kind: Deployment
+      name: docs-y-provider
   destination:
     name: docs-collaboration-secret
     create: true
@@ -241,6 +290,11 @@ spec:
   type: kv-v2
   path: meet
   refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: meet-backend
+    - kind: Deployment
+      name: meet-celery-worker
   destination:
     name: meet-django-secret
     create: true
@@ -264,6 +318,11 @@ spec:
   type: kv-v2
   path: livekit
   refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: meet-backend
+    - kind: Deployment
+      name: meet-celery-worker
   destination:
     name: meet-livekit
     create: true
@@ -275,3 +334,241 @@ spec:
           text: "{{ index .Secrets \"api-key\" }}"
         LIVEKIT_API_SECRET:
           text: "{{ index .Secrets \"api-secret\" }}"
+---
+# Drive DB credentials from OpenBao database secrets engine (static role, 24h rotation).
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultDynamicSecret
+metadata:
+  name: drive-db-credentials
+  namespace: lasuite
+spec:
+  vaultAuthRef: vso-auth
+  mount: database
+  path: static-creds/drive
+  allowStaticCreds: true
+  refreshAfter: 5m
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: drive-backend
+    - kind: Deployment
+      name: drive-backend-celery-default
+  destination:
+    name: drive-db-credentials
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        password:
+          text: "{{ index .Secrets \"password\" }}"
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: drive-django-secret
+  namespace: lasuite
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: drive
+  refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: drive-backend
+    - kind: Deployment
+      name: drive-backend-celery-default
+  destination:
+    name: drive-django-secret
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        DJANGO_SECRET_KEY:
+          text: "{{ index .Secrets \"django-secret-key\" }}"
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: collabora-credentials
+  namespace: lasuite
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: collabora
+  refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: collabora
+  destination:
+    name: collabora-credentials
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        username:
+          text: "{{ index .Secrets \"username\" }}"
+        password:
+          text: "{{ index .Secrets \"password\" }}"
+---
+# Messages DB credentials from OpenBao database secrets engine (static role, 24h rotation).
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultDynamicSecret
+metadata:
+  name: messages-db-credentials
+  namespace: lasuite
+spec:
+  vaultAuthRef: vso-auth
+  mount: database
+  path: static-creds/messages
+  allowStaticCreds: true
+  refreshAfter: 5m
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: messages-backend
+    - kind: Deployment
+      name: messages-worker
+  destination:
+    name: messages-db-credentials
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        password:
+          text: "{{ index .Secrets \"password\" }}"
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: messages-django-secret
+  namespace: lasuite
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: messages
+  refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: messages-backend
+    - kind: Deployment
+      name: messages-worker
+    - kind: Deployment
+      name: messages-mta-in
+  destination:
+    name: messages-django-secret
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        DJANGO_SECRET_KEY:
+          text: "{{ index .Secrets \"django-secret-key\" }}"
+        SALT_KEY:
+          text: "{{ index .Secrets \"salt-key\" }}"
+        MDA_API_SECRET:
+          text: "{{ index .Secrets \"mda-api-secret\" }}"
+        OIDC_STORE_REFRESH_TOKEN_KEY:
+          text: "{{ index .Secrets \"oidc-refresh-token-key\" }}"
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: messages-dkim-key
+  namespace: lasuite
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: messages
+  refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: messages-mpa
+  destination:
+    name: messages-dkim-key
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        dkim-private-key:
+          text: "{{ index .Secrets \"dkim-private-key\" }}"
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: messages-mpa-credentials
+  namespace: lasuite
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: messages
+  refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: messages-mpa
+  destination:
+    name: messages-mpa-credentials
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        RSPAMD_password:
+          text: "{{ index .Secrets \"rspamd-password\" }}"
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: messages-socks-credentials
+  namespace: lasuite
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: messages
+  refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: messages-socks-proxy
+  destination:
+    name: messages-socks-credentials
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        PROXY_USERS:
+          text: "{{ index .Secrets \"socks-proxy-users\" }}"
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: messages-mta-out-credentials
+  namespace: lasuite
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: messages
+  refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: messages-mta-out
+  destination:
+    name: messages-mta-out-credentials
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        SMTP_USERNAME:
+          text: "{{ index .Secrets \"mta-out-smtp-username\" }}"
+        SMTP_PASSWORD:
+          text: "{{ index .Secrets \"mta-out-smtp-password\" }}"