fix: Correct pod selectors for Prometheus and Flux Tailscale services, use Doppler for Grafana creds

Prometheus needs operator.prometheus.io/name label selector. Flux UI pods
are labeled gitops-server not weave-gitops. Grafana now reads admin creds
from Doppler via ExternalSecret instead of hardcoded values.

infrastructure/addons/flux-ui/flux-tailscale-service.yaml

@@ -10,9 +10,10 @@ spec:
   type: LoadBalancer
   loadBalancerClass: tailscale
   selector:
-    app.kubernetes.io/name: weave-gitops
+    app.kubernetes.io/name: gitops-server
+    app.kubernetes.io/instance: weave-gitops
   ports:
     - name: http
       port: 9001
       protocol: TCP
-      targetPort: 9001
+      targetPort: http

infrastructure/addons/observability/helmrelease-kube-prometheus-stack.yaml

@@ -25,8 +25,7 @@ spec:
     grafana:
       enabled: true
       admin:
-        user: admin
-        password: admin123
+        existingSecret: grafana-admin-credentials
       grafana.ini:
         server:
           root_url: http://grafana.silverside-gopher.ts.net/

infrastructure/addons/observability/kustomization.yaml

@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
+  - grafana-admin-externalsecret.yaml
   - helmrepository-prometheus-community.yaml
   - helmrepository-grafana.yaml
   - helmrelease-kube-prometheus-stack.yaml

infrastructure/addons/observability/prometheus-tailscale-service.yaml

@@ -11,6 +11,7 @@ spec:
   loadBalancerClass: tailscale
   selector:
     app.kubernetes.io/name: prometheus
+    operator.prometheus.io/name: observability-kube-prometh-prometheus
   ports:
     - name: http
       port: 9090