feat(devtools): deploy Penpot + MCP server, wildcard TLS via DNS-01

Penpot (designer.sunbeam.pt):
- Frontend/backend/exporter deployments with OIDC-only auth via Hydra
- VSO-managed DB, S3, and app secrets from OpenBao
- PostgreSQL user/db in CNPG postInitSQL
- Hydra Maester enabledNamespaces extended to devtools

Penpot MCP server (mcp-designer.sunbeam.pt):
- Pre-built Node.js image pushed to Gitea registry
- Auth-gated via Pingora auth_request → Hydra /userinfo
- WebSocket path for browser plugin connection

Wildcard TLS:
- Switched cert-manager from HTTP-01 (per-SAN) to DNS-01 via Scaleway webhook
- Certificate collapsed to *.sunbeam.pt + sunbeam.pt
- Added scaleway-certmanager-webhook Helm chart
- VSO secret for Scaleway DNS API credentials in cert-manager namespace
- Added cert-manager to OpenBao VSO auth role

overlays/production/cert-manager.yaml

@@ -1,9 +1,7 @@
-# cert-manager issuers and certificate for production TLS.
+# cert-manager issuers and wildcard certificate for production TLS.
 #
-# WORKFLOW: start with letsencrypt-staging to verify the HTTP-01 challenge
-# flow works without burning production rate limits. Once the staging cert
-# is issued successfully, flip the Certificate issuerRef to letsencrypt-production
-# and delete the old Secret so cert-manager re-issues with a trusted cert.
+# Uses DNS-01 via Scaleway DNS webhook for wildcard support.
+# No more per-subdomain SANs — *.DOMAIN_SUFFIX covers everything.
 #
 # ACME_EMAIL is substituted by sunbeam apply.
 ---
@@ -19,12 +17,19 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-staging-account-key
     solvers:
-      - http01:
-          ingress:
-            serviceType: ClusterIP
+      - dns01:
+          webhook:
+            groupName: acme.scaleway.com
+            solverName: scaleway
+            config:
+              accessKeySecretRef:
+                key: SCW_ACCESS_KEY
+                name: scaleway-secret
+              secretKeySecretRef:
+                key: SCW_SECRET_KEY
+                name: scaleway-secret
 ---
 # Let's Encrypt production — trusted cert, strict rate limits.
-# Switch to this once staging confirms challenges resolve correctly.
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
@@ -36,13 +41,19 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-production-account-key
     solvers:
-      - http01:
-          ingress:
-            serviceType: ClusterIP
+      - dns01:
+          webhook:
+            groupName: acme.scaleway.com
+            solverName: scaleway
+            config:
+              accessKeySecretRef:
+                key: SCW_ACCESS_KEY
+                name: scaleway-secret
+              secretKeySecretRef:
+                key: SCW_SECRET_KEY
+                name: scaleway-secret
 ---
-# Certificate covering all proxy subdomains.
-# Start with letsencrypt-staging. Once verified, change issuerRef.name to
-# letsencrypt-production and delete the pingora-tls Secret to force re-issue.
+# Wildcard certificate covering all subdomains.
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -55,27 +66,4 @@ spec:
     kind: ClusterIssuer
   dnsNames:
     - DOMAIN_SUFFIX
-    - docs.DOMAIN_SUFFIX
-    - meet.DOMAIN_SUFFIX
-    - drive.DOMAIN_SUFFIX
-    - mail.DOMAIN_SUFFIX
-    - messages.DOMAIN_SUFFIX
-    - people.DOMAIN_SUFFIX
-    - src.DOMAIN_SUFFIX
-    - auth.DOMAIN_SUFFIX
-    - s3.DOMAIN_SUFFIX
-    - metrics.DOMAIN_SUFFIX
-    - systemmetrics.DOMAIN_SUFFIX
-    - systemlogs.DOMAIN_SUFFIX
-    - systemtracing.DOMAIN_SUFFIX
-    - admin.DOMAIN_SUFFIX
-    - integration.DOMAIN_SUFFIX
-    - livekit.DOMAIN_SUFFIX
-    - cal.DOMAIN_SUFFIX
-    - projects.DOMAIN_SUFFIX
-    - id.DOMAIN_SUFFIX
-    - hydra.DOMAIN_SUFFIX
-    - search.DOMAIN_SUFFIX
-    - vault.DOMAIN_SUFFIX
-    - find.DOMAIN_SUFFIX
-    - call.DOMAIN_SUFFIX
+    - "*.DOMAIN_SUFFIX"