Add Tilt development loop for Kubernetes deployment

[vondutchi]

/claim #144

Summary

• Add a root Tiltfile that fills the missing Tilt portion of the Docker + Kubernetes + Tilt deployment path.
• Reuse the existing Kubernetes manifests, build the backend image locally, live-sync backend code/tests, expose useful port-forwards, and run the Vite frontend as a Tilt local resource.
• Document the workflow in deploy/TILT.md and link it from the README.

Demo

• deploy/tilt-demo.mp4

Validation

• git diff --check
• git diff --cached --check
• Verified all Tiltfile-referenced files exist: deploy/k8s/namespace.yaml, deploy/k8s/secrets.example.yaml, deploy/k8s/app-stack.yaml, deploy/k8s/monitoring-stack.yaml, packages/backend/Dockerfile, and app/package.json.
• Verified deploy/tilt-demo.mp4 with ffprobe: H.264, 960x540, 5 seconds, 120 frames.
• Confirmed no generated local deploy/k8s/secrets.yaml is committed.

Notes

• This environment does not have tilt or kubectl installed, so I could not run a live cluster smoke test here. The change is scoped to the missing Tilt workflow and existing deployment assets.

[vondutchi]

Follow-up validation after installing Tilt locally:

• Fixed the Tilt context allowlist to use the current Tilt API shape.
• tilt alpha tiltfile-result -f Tiltfile now evaluates successfully.
• Tiltfile evaluation produced 14 manifests/resources, including backend, frontend-dev, postgres, redis, nginx, grafana, prometheus, and loki.
• Confirmed the generated local deploy/k8s/secrets.yaml was removed and is not committed.
• PR remains open and mergeable.

Still not claiming a full live cluster smoke test because this environment has no Docker daemon or Kubernetes context available.

[vondutchi]

Additional runtime validation completed after the monitoring fixes in c154113.

What changed:

• Added Promtail ServiceAccount + RBAC so Kubernetes pod discovery can use in-cluster credentials.
• Moved DATA_SOURCE_NAME after the Postgres secret-backed env vars so Kubernetes expands $(POSTGRES_USER), $(POSTGRES_PASSWORD), and $(POSTGRES_DB) before starting postgres-exporter.

Validation run locally on Colima/k3s:

• tilt ci --timeout 12m --host 127.0.0.1 --port 0 completed with SUCCESS. All workloads are healthy.
• A second clean run after the exporter fix also completed with SUCCESS. All workloads are healthy.
• kubectl get pods -n finmind -o wide showed backend replicas, Postgres, Redis, nginx, Prometheus, Grafana, Loki, Promtail, node-exporter, and all exporters at 1/1 Running.
• kubectl logs -n finmind deploy/postgres-exporter --tail=40 now shows Established new database connection and Postgres semantic version 16.14.0, instead of the previous literal $(POSTGRES_USER) auth attempts.

[vondutchi]

Small follow-up pushed in d3b8ab5: I added colima to the allowed local Kubernetes contexts and documented it in deploy/TILT.md.

Reason: the runtime validation above was performed on Colima/k3s, so this makes the Tilt workflow match the verified local cluster path instead of only listing kind/minikube/docker-desktop.

Validation:

• Current Kubernetes context: colima
• tilt alpha tiltfile-result -f Tiltfile renders 14 resources successfully, including backend, nginx, Postgres, Redis, Prometheus, Loki, Promtail, Grafana, exporters, frontend-dev, and uncategorized manifests.