feat(helm): wire dashboard.* values + Secret-mounted session secret into chart

[debsahu]

Follow-up to #150 (chart) and #151 (dashboard). Adds the dashboard.* values block + Secret-mounted session secret + initial admin password wiring that #151's PR description marked as deferred.

⚠️ Hold for #151 to merge first. This PR is opened as a draft because the chart values are inert until the broker side ships in #151. Once #151 lands and the GHCR image rebuilds with the dashboard binary embedded, this can come out of draft and merge.

What's in

values.yaml — new dashboard: block

dashboard:
  enabled: true              # broker default
  passwordExpiryDays: 90     # 0 disables
  sessionSecret:
    existingSecret: ""       # reference an existing Secret
    key: session-secret
    value: ""                # OR inline; rendered into <release>-dashboard
  initialPassword:
    existingSecret: ""
    key: initial-password
    value: ""

Wiring

• ConfigMap gains a dashboard: block (enabled, password-expiry-days) injected into the rendered broker config for both single and cluster modes. The session secret deliberately stays out of the ConfigMap so it never lands in plaintext-rendered manifests.
• Deployment + StatefulSet containers get an env: block via a new comqtt.dashboardEnv helper that wires COMQTT_DASHBOARD_SESSION_SECRET and DASHBOARD_INITIAL_PASSWORD from the configured Secret (existing or chart-managed).
• New templates/dashboard-secret.yaml renders a chart-managed <release>-dashboard Secret only when at least one inline value is provided. If everything points at existing Secrets, no chart-managed Secret is created.
• values.schema.json gains a dashboard schema with a reusable secretRef $def.

Cluster-mode note

The broker auto-shares an HMAC secret across cluster nodes via Redis (comqtt:dashboard:secret) when Redis is configured. The env-mounted COMQTT_DASHBOARD_SESSION_SECRET then acts as a fallback if Redis is unreachable on boot. So in normal cluster operation the chart-side Secret is optional; in single-mode it's the only way to keep login cookies surviving a pod restart.

Verification (helm template ci .)

Path	Result
Default values (single)	dashboard: block in ConfigMap, no env: block, no chart Secret rendered
sessionSecret.value=..., initialPassword.existingSecret=my-existing	Managed Secret rendered with session-secret key; env wires session to managed, initial password to my-existing/admin-pw
mode=cluster, replicaCount=3, initialPassword.value=...	StatefulSet env extends after the existing entrypoint env vars; cluster ConfigMap gains the dashboard block
dashboard.enabled=false	dashboard: { enabled: false } only, no env, no Secret

helm lint . clean.

Out of scope

• Gateway API support (per @sansmoraxz's feedback on feat(deploy): add Helm chart, GoReleaser, and GHCR release workflow (closes #137) #150 about ingress-nginx retirement) — opening that as a separate PR so this one stays focused on values plumbing.

[debsahu]

Closing per the agreed plan on #151: the dashboard work moves to a separate add-on module (debsahu/comqtt-dashboard), so this chart values block goes with it. The add-on repo will ship its own helm chart that includes this functionality.

#154 (Gateway API) stays open since it is independent of the dashboard.