gitops: observability stack (Loki/Promtail/Grafana), Grafana Ingress, Argo multi-source

- Add gitops/observability umbrella chart with vendored Helm deps
- Grafana Ingress: Traefik, letsencrypt-prod, grafana.k8s.selair.it + root_url
- Argo Application: spec.sources (onelab + onelab-obs)
- OneLab: configuration secret override, compliance/LDAP values, logs.path /logs
- Docs: OBSERVABILITY, BOOTSTRAP, README, instance-overrides example

Made-with: Cursor

gitops/charts/onelab/values.yaml

@@ -3,6 +3,11 @@
 nameOverride: ""
 fullnameOverride: ""
 
+# If non-empty, workloads mount this Secret instead of chart-generated onelab-configurations.
+# Secret must contain key `configurations.yml`. Chart will NOT create onelab-configurations.
+configuration:
+  existingSecretName: ""
+
 images:
   registry: hub.andrewalliance.com/releases
   tag: "1.27.0"
@@ -71,11 +76,32 @@ onelab:
     authTokenKey: "TokenAuthPlaceholder"
     monitoringToken: "TokenMonitoringPlaceholder"
     rabbitToken: "TokenRabbitPlaceholder"
+  # Mirrors app/configurations.yml params.compliance (enable without editing app/).
+  compliance:
+    enabled: false
+    requireElectronicSignature: true
+    executionOperatorRestrictionPolicy: "reviewed"
+    executionAdminExpertRestrictionPolicy: "reviewed"
+    preventCsvImport: true
+    preventManualMetadataEdit: true
+    deviceRestart: true
+  # Set enabled: true to turn on LDAP in configurations.yml and deploy ldap-worker (or use features.ldapWorker).
+  ldap:
+    enabled: false
+    timeout: ""
+    encryption: ""
+    policy: ""
+    tlsCaPath: ""
+    tlsCertPath: ""
+    tlsKeyPath: ""
+    tlsCiphers: ""
+    tlsSslVersion: ""
   intercom:
     appid: "zxvgsagz"
     secret: "QUw2jEV8utIpe9DeYjOqBjhBY9VxjXddKUCISUNu"
 
 features:
+  # Deprecated for LDAP: prefer onelab.ldap.enabled (either enables ldap-worker + ldap.enabled in config).
   ldapWorker: false
   mailerWorker: false