feat: La Suite email/messages, buildkitd, monitoring, vault and storage updates

- Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS
  proxy, worker, DKIM config, and theme customization
- Add Collabora deployment for document collaboration
- Add Drive frontend nginx config and values
- Add buildkitd namespace for in-cluster container builds
- Add SeaweedFS remote sync and additional S3 buckets
- Update vault secrets across namespaces (devtools, lasuite, media,
  monitoring, ory, storage) with expanded credential management
- Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus
  remote write and additional scrape configs
- Update local/production overlays with resource patches
- Remove stale login-ui resource patch from production overlay

base/monitoring/grafana-oauth2client.yaml

@@ -24,9 +24,9 @@ spec:
     - code
   scope: openid email profile
   redirectUris:
-    - https://grafana.DOMAIN_SUFFIX/login/generic_oauth
+    - https://metrics.DOMAIN_SUFFIX/login/generic_oauth
   postLogoutRedirectUris:
-    - https://grafana.DOMAIN_SUFFIX/
+    - https://metrics.DOMAIN_SUFFIX/
   tokenEndpointAuthMethod: client_secret_post
   secretName: grafana-oidc
   skipConsent: true

base/monitoring/prometheus-values.yaml

@@ -38,38 +38,30 @@ grafana:
       skip_org_role_sync: true
   sidecar:
     datasources:
-      # Disable the auto-provisioned ClusterIP datasource; we define it
-      # explicitly below using the external URL so Grafana's backend reaches
-      # Prometheus via Pingora (https://systemmetrics.DOMAIN_SUFFIX) rather
-      # than the cluster-internal ClusterIP which is blocked by network policy.
       defaultDatasourceEnabled: false
 
   additionalDataSources:
     - name: Prometheus
       type: prometheus
-      url: "https://systemmetrics.DOMAIN_SUFFIX"
+      url: "http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090"
       access: proxy
       isDefault: true
       jsonData:
         timeInterval: 30s
     - name: Loki
       type: loki
-      url: "https://systemlogs.DOMAIN_SUFFIX"
+      url: "http://loki-gateway.monitoring.svc.cluster.local:80"
       access: proxy
       isDefault: false
     - name: Tempo
       type: tempo
-      url: "https://systemtracing.DOMAIN_SUFFIX"
+      url: "http://tempo.monitoring.svc.cluster.local:3200"
       access: proxy
       isDefault: false
 
 prometheus:
   prometheusSpec:
     retention: 90d
-    # hostNetwork allows Prometheus to reach kubelet (10250) and node-exporter
-    # (9100) on the node's public InternalIP.  On a single-node bare-metal
-    # server, pod-to-node-public-IP traffic doesn't route without this.
-    hostNetwork: true
     additionalArgs:
       # Allow browser-direct queries from the Grafana UI origin.
       - name: web.cors.origin

base/monitoring/vault-secrets.yaml

@@ -23,6 +23,9 @@ spec:
   type: kv-v2
   path: grafana
   refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: kube-prometheus-stack-grafana
   destination:
     name: grafana-admin
     create: true