Add KeyCape login overlay gateway for OpenBao browser UI

Streamline bao.coulomb.social login as "Sign in with KeyCape" via a versioned
nginx gateway that injects overlay assets and proxies to OpenBao. Disable chart
ingress in favor of the overlay ingress, wire make openbao-deploy, and add
openbao-verify-login-overlay with upstream drift detection.

helm/openbao-values.yaml

@@ -30,24 +30,10 @@ server:
       cpu: 500m
       memory: 512Mi
 
+  # Public browser ingress is owned by helm/openbao-ui-overlay-k8s.yaml so the
+  # KeyCape login overlay gateway can inject overlay assets.
   ingress:
-    enabled: true
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-prod
-      traefik.ingress.kubernetes.io/router.middlewares: >-
-        openbao-openbao-rate-limit@kubernetescrd,
-        openbao-openbao-hsts@kubernetescrd
-    ingressClassName: traefik
-    pathType: Prefix
-    activeService: true
-    hosts:
-      - host: bao.coulomb.social
-        paths:
-          - /
-    tls:
-      - secretName: bao-tls
-        hosts:
-          - bao.coulomb.social
+    enabled: false
 
   authDelegator:
     enabled: true