feat(vso): deploy Vault Secrets Operator; add test RBAC + amd64 image aliases

- Add base/vso/ with Helm chart (v0.9.0 from helm.releases.hashicorp.com),
  namespace, and test-rbac.yaml granting the Helm test pod's default SA
  permission to create/read/delete Secrets, ConfigMaps, and Leases so the
  bundled connectivity test passes.
- Wire ../../base/vso into overlays/local/kustomization.yaml.
- Add image aliases for lasuite/people-backend and lasuite/people-frontend
  so kustomize rewrites those pulls to our Gitea registry (amd64-only images
  that are patched and mirrored by sunbeam.py).

overlays/local/kustomization.yaml

@@ -19,15 +19,24 @@ resources:
   - ../../base/lasuite
   - ../../base/media
   - ../../base/devtools
+  - ../../base/vso
 
 images:
-  # Local dev: image is built and imported directly into k3s containerd.
+  # Local dev: sunbeam-proxy is built and imported directly into k3s containerd.
   # imagePullPolicy: Never is set in values-pingora.yaml so k3s never tries to pull.
-  # Production overlay points this at src.DOMAIN_SUFFIX/sunbeam/sunbeam-proxy:latest.
+  # Production overlay points this at src.DOMAIN_SUFFIX/studio/sunbeam-proxy:latest.
   - name: sunbeam-proxy
     newName: sunbeam-proxy
     newTag: dev
 
+  # amd64-only La Suite images — mirrored to our Gitea registry with a patched
+  # OCI index that adds an arm64 alias so Rosetta can run them on the Lima VM.
+  # DOMAIN_SUFFIX is substituted by local-up.py at deploy time (sed replacement).
+  - name: lasuite/people-backend
+    newName: src.DOMAIN_SUFFIX/studio/people-backend
+  - name: lasuite/people-frontend
+    newName: src.DOMAIN_SUFFIX/studio/people-frontend
+
 patches:
   # Add hostPort for TURN relay range on Lima VM
   - path: values-pingora.yaml