Fix cross-seed Gluetun firewall - allow Pod CIDR and preserve K8s DNS

Two critical fixes for cross-seed cluster connectivity:

1. Add Pod CIDR (192.168.144.0/20) to FIREWALL_OUTBOUND_SUBNETS
   - Gluetun firewall sees Pod IPs after kube-proxy DNAT, not Service IPs
   - Must allow traffic to Pod CIDR for cluster service communication
   - Reference: qdm12/gluetun-wiki#7

2. Set DNS_KEEP_NAMESERVER=on and DOT=off (not delete)
   - Preserves Kubernetes DNS resolver for cluster service resolution
   - Disables DOT which requires external DNS (1.1.1.1) blocked by firewall
   - Critical for consistent cluster DNS resolution

Author: sofmeright

fluxcd/apps/overlays/production/cross-seed/statefulset-patch.yaml

@@ -118,13 +118,13 @@ spec:
         - name: FIREWALL_INPUT_PORTS
           value: "2468,6887,9696"
         - name: FIREWALL_OUTBOUND_SUBNETS
-          value: "10.0.0.0/8,172.16.0.0/12,172.22.30.33/32"
+          value: "10.0.0.0/8,172.16.0.0/12,172.22.30.33/32,192.168.144.0/20"
         - name: DNS_ADDRESS
-          value: "10.144.0.10"
-        - name: DNS_KEEP_NAMESERVER
           $patch: delete
+        - name: DNS_KEEP_NAMESERVER
+          value: "on"
         - name: DOT
-          $patch: delete
+          value: "off"
   volumeClaimTemplates:
   - metadata:
       name: config