fix(helm): derive vector storage from app secret

Summary

• Render vector’s vector.yaml through the app ExternalSecret when External Secrets is enabled.
• Use the secret-backed HIVE_S3_BUCKET and HIVE_S3_REGION values for vector storage so it stays aligned with the app’s object-storage config.
• Add a web component label to Hive web pods and narrow the web Service/PDB selectors so ingress traffic cannot be routed to hive-vector.

Testing

• helm lint infra/helm/hive -f infra/helm/hive/values-production.yaml
• helm template hive infra/helm/hive -f infra/helm/hive/values-production.yaml
• curl -fsS https://hive.tuist.dev/ready
• Production smoke check: hive 2/2 ready on ghcr.io/tuist/hive:sha-897e37da271c, hive-vector 1/1 ready after manual Helm upgrade.
• Production routing check: service/hive now selects app.kubernetes.io/component=web and its EndpointSlice contains only port 4000 web pod endpoints.
• Repeated public requests: /settings/products consistently returns 302 to /login without cookies, and /forage/feature-requests consistently returns 200.
• mix format --check-formatted infra/helm/hive/templates/external-secret.yaml infra/helm/hive/templates/vector.yaml could not run because deps are not installed in this worktree.

No GitHub comments yet.