feat(vso): deploy Vault Secrets Operator; add test RBAC + amd64 image aliases

- Add base/vso/ with Helm chart (v0.9.0 from helm.releases.hashicorp.com),
  namespace, and test-rbac.yaml granting the Helm test pod's default SA
  permission to create/read/delete Secrets, ConfigMaps, and Leases so the
  bundled connectivity test passes.
- Wire ../../base/vso into overlays/local/kustomization.yaml.
- Add image aliases for lasuite/people-backend and lasuite/people-frontend
  so kustomize rewrites those pulls to our Gitea registry (amd64-only images
  that are patched and mirrored by sunbeam.py).

base/vso/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: vault-secrets-operator
+
+resources:
+  - namespace.yaml
+  - test-rbac.yaml
+
+helmCharts:
+  # helm repo add hashicorp https://helm.releases.hashicorp.com
+  - name: vault-secrets-operator
+    repo: https://helm.releases.hashicorp.com
+    version: "0.9.0"
+    releaseName: vault-secrets-operator
+    namespace: vault-secrets-operator
+    valuesFile: vso-values.yaml

base/vso/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vault-secrets-operator
+  annotations:
+    linkerd.io/inject: disabled

base/vso/test-rbac.yaml

@@ -0,0 +1,30 @@
+---
+# Grant the default SA in vault-secrets-operator the permissions the Helm
+# test pod needs. The test runs the VSO binary which initializes its Vault
+# client cache by creating/reading a K8s Secret in this namespace.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vault-secrets-operator-test
+  namespace: vault-secrets-operator
+rules:
+  - apiGroups: [""]
+    resources: ["secrets", "configmaps"]
+    verbs: ["create", "get", "update", "delete", "list", "watch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["create", "get", "update", "delete", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vault-secrets-operator-test
+  namespace: vault-secrets-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: vault-secrets-operator-test
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: vault-secrets-operator

base/vso/vso-values.yaml

@@ -0,0 +1,8 @@
+# Vault Secrets Operator Helm values
+# chart: vault-secrets-operator from https://helm.releases.hashicorp.com
+# Connects to OpenBao (Vault-compatible) running in the data namespace.
+
+defaultVaultConnection:
+  enabled: true
+  address: "http://openbao.data.svc.cluster.local:8200"
+  skipTLSVerify: false  # OpenBao has TLS disabled (tlsDisable: true in openbao-values.yaml)

overlays/local/kustomization.yaml

@@ -19,15 +19,24 @@ resources:
   - ../../base/lasuite
   - ../../base/media
   - ../../base/devtools
+  - ../../base/vso
 
 images:
-  # Local dev: image is built and imported directly into k3s containerd.
+  # Local dev: sunbeam-proxy is built and imported directly into k3s containerd.
   # imagePullPolicy: Never is set in values-pingora.yaml so k3s never tries to pull.
-  # Production overlay points this at src.DOMAIN_SUFFIX/sunbeam/sunbeam-proxy:latest.
+  # Production overlay points this at src.DOMAIN_SUFFIX/studio/sunbeam-proxy:latest.
   - name: sunbeam-proxy
     newName: sunbeam-proxy
     newTag: dev
 
+  # amd64-only La Suite images — mirrored to our Gitea registry with a patched
+  # OCI index that adds an arm64 alias so Rosetta can run them on the Lima VM.
+  # DOMAIN_SUFFIX is substituted by local-up.py at deploy time (sed replacement).
+  - name: lasuite/people-backend
+    newName: src.DOMAIN_SUFFIX/studio/people-backend
+  - name: lasuite/people-frontend
+    newName: src.DOMAIN_SUFFIX/studio/people-frontend
+
 patches:
   # Add hostPort for TURN relay range on Lima VM
   - path: values-pingora.yaml