gitops: observability stack (Loki/Promtail/Grafana), Grafana Ingress, Argo multi-source

- Add gitops/observability umbrella chart with vendored Helm deps
- Grafana Ingress: Traefik, letsencrypt-prod, grafana.k8s.selair.it + root_url
- Argo Application: spec.sources (onelab + onelab-obs)
- OneLab: configuration secret override, compliance/LDAP values, logs.path /logs
- Docs: OBSERVABILITY, BOOTSTRAP, README, instance-overrides example

Made-with: Cursor

gitops/values/instance-overrides.example.yaml

@@ -0,0 +1,34 @@
+# Copy to a private file (e.g. gitops/values/private-k3s.yaml, gitignored) or merge into your env values.
+# Reference from Helm:  -f ../../values/k3s-example.yaml -f ../../values/private-k3s.yaml
+# Argo CD: add a second entry under helm.valueFiles (paths relative to chart path).
+
+onelab:
+  compliance:
+    enabled: true
+    # Optional tweaks (defaults match chart values.yaml):
+    # requireElectronicSignature: true
+    # executionOperatorRestrictionPolicy: "reviewed"
+    # executionAdminExpertRestrictionPolicy: "reviewed"
+    # preventCsvImport: true
+    # preventManualMetadataEdit: true
+    # deviceRestart: true
+
+  ldap:
+    enabled: true
+    # timeout: 30
+    # encryption: "start_tls"
+    # policy: "your-policy"
+    # verifyCertificates: true
+    # Paths inside the ldap-worker container (mount certs via extraVolumes if needed):
+    # tlsCaPath: "/ldap/ca.crt"
+    # tlsCertPath: "/ldap/client.crt"
+    # tlsKeyPath: "/ldap/client.key"
+    # tlsCiphers: ""
+    # tlsSslVersion: ""
+
+# Alternative: supply the full YAML yourself (no Helm templating of compliance/LDAP blocks).
+# 1. kubectl create secret generic onelab-configurations-custom -n onelab \
+#      --from-file=configurations.yml=./my-configurations.yml
+# 2. Set in values:
+# configuration:
+#   existingSecretName: onelab-configurations-custom