Update Files service config for gRPC-only (remove HTTP port, VirtualService)

[rowan-stein]

User Request

The Files service was changed from HTTP+gRPC to gRPC-only (agynio/files#9). The bootstrap configuration still references the old HTTP interface (port 8080, HTTP health probes, Istio VirtualService). These need to be updated.

---

Specification

File: stacks/platform/main.tf

Change 1 — Update files_values local

The files_values block (Helm value overrides) needs these changes:

Field	Before	After
containerPorts[0]	name: "http", containerPort: 8080	name: "grpc", containerPort: 50051
service.ports[0]	name: "http", port: 8080, targetPort: "http"	name: "grpc", port: 50051, targetPort: "grpc"
livenessProbe	httpGet { path: "/healthz", port: "http" }	grpc { port: 50051 }
readinessProbe	httpGet { path: "/healthz", port: "http" }	grpc { port: 50051 }
files.urlExpiry	(missing)	"1h"

Full replacement for files_values:

  files_values = yamlencode({
    fullnameOverride = "files"
    image = {
      repository = "ghcr.io/agynio/files"
      tag        = local.resolved_files_image_tag
      pullPolicy = "IfNotPresent"
    }
    securityContext = {
      enabled                  = true
      runAsNonRoot             = true
      runAsUser                = 65532
      runAsGroup               = 65532
      readOnlyRootFilesystem   = true
      allowPrivilegeEscalation = false
      capabilities = {
        drop = ["ALL"]
      }
      seccompProfile = {
        type = "RuntimeDefault"
      }
    }
    containerPorts = [
      {
        name          = "grpc"
        containerPort = 50051
        protocol      = "TCP"
      }
    ]
    service = {
      enabled = true
      type    = "ClusterIP"
      ports = [
        {
          name       = "grpc"
          port       = 50051
          targetPort = "grpc"
          protocol   = "TCP"
        }
      ]
    }
    livenessProbe = {
      enabled = true
      grpc = {
        port = 50051
      }
    }
    readinessProbe = {
      enabled = true
      grpc = {
        port = 50051
      }
    }
    files = {
      urlExpiry = "1h"
      databaseUrl = {
        value = format("postgresql://files:%s@files-db:5432/files?sslmode=disable", var.files_db_password)
      }
      s3 = {
        endpoint = "minio:9000"
        bucket   = var.minio_bucket_name
        region   = "us-east-1"
        useSSL   = false
        accessKey = {
          value = var.minio_root_user
        }
        secretKey = {
          value = var.minio_root_password
        }
      }
    }
  })

Change 2 — Remove virtualservice_files resource

Delete the entire kubernetes_manifest.virtualservice_files resource block.

Rationale: Files is now an internal-only gRPC service. Other internal gRPC services (agent-state, token-counting) have no VirtualService. External services (gateway, platform-ui, litellm, vault, minio) have VirtualServices. Files should follow the internal pattern. No other resource references virtualservice_files.

No other changes needed

variables.tf, outputs.tf, terraform.tfvars.example, files_db StatefulSet, minio, and ArgoCD application are all unchanged.