Fix meet: ALLOWED_HOSTS, OIDC callback, and LiveKit connectivity

- meet-config: rename ALLOWED_HOSTS → DJANGO_ALLOWED_HOSTS (django-configurations
  ListValue uses DJANGO_ prefix by default; without it the list was empty and
  every browser request got 400 DisallowedHost)
- meet-config: set LIVEKIT_API_URL to public https://livekit.DOMAIN_SUFFIX so
  the meet frontend can reach LiveKit for WebSocket signaling
- pingora-config: add livekit.DOMAIN_SUFFIX → livekit-server:80 WebSocket route
- cert-manager: add livekit.DOMAIN_SUFFIX to TLS cert dnsNames
- oidc-clients: fix meet redirect URI /oidc/callback/ → /api/v1.0/callback/
  (meet embeds mozilla-django-oidc inside the api/v1.0/ prefix); add
  postLogoutRedirectUri for clean logout
- livekit-values: replace hardcoded devkey:secret-placeholder with key_file
  loaded from a VSO-managed K8s Secret (secret/livekit in OpenBao)
- media/vault-secrets: add VaultAuth + VaultStaticSecret for media namespace
  to sync livekit API credentials from OpenBao

base/media/livekit-values.yaml

@@ -26,10 +26,13 @@ livekit:
     # Valkey is protocol-compatible with Redis; LiveKit sees this as a Redis endpoint
     address: valkey.data.svc.cluster.local:6379
 
-  # API keys — overridden per-environment via secrets.
-  # At least one key must be present for the server to start.
-  keys:
-    devkey: secret-placeholder
+  # API keys — loaded from K8s Secret managed by VSO (secret/livekit in OpenBao).
+  # The keys.yaml field contains "devkey: <api-secret>" in YAML format.
+  key_file: keys.yaml
+
+storeKeysInSecret:
+  enabled: true
+  existingSecret: livekit-api-credentials
 
 deployment:
   # hostNetwork gives LiveKit direct access to the host network namespace,