feat(dashboards): add operational panels

[Automaat]

Motivation

Add observability panels to Grafana dashboards covering operational blind spots: xDS snapshot sizing, KDS health, VIP exhaustion, cert expiry, injection outcomes, and DNS internals.

Implementation information

Control plane dashboard (kuma-control-plane.json):

• xDS Snapshot Resources (p95 by type) — track cluster/endpoint fan-out growth
• KDS Active Zone Connections — monitor zone CP connectivity
• KDS NACK Rate — surface config rejection issues
• VIP Allocation Exhaustion (1h) — alert before VIP pool runs out
• xDS Cert Time Remaining (per mesh) — track cert renewal health
• Sidecar Injection Outcomes — split success/skip/error injection counts

Service debug dashboard (kuma-service-debug.json):

• DNS Queries by Type & Source — break down DNS traffic patterns
• DNS Response Codes — surface NXDOMAIN/SERVFAIL spikes
• DNS Map Entries (per pod) — track DNS table size per dataplane

All panels use existing metrics exposed by kuma-cp and kuma-dp; no code changes required.

Changelog: feat(dashboards): add operational Grafana panels for xDS, KDS, DNS, and cert monitoring

[Copilot]

Pull request overview

This PR extends Kuma’s Grafana dashboards with additional operational observability panels to cover xDS, KDS, VIP/IPAM, certificate lifecycle, sidecar injection, and DNS behavior.

Changes:

• Added xDS snapshot resource sizing, KDS connectivity/NACK, VIP exhaustion, cert expiry, and injection outcome panels to the control plane dashboard.
• Added DNS query breakdown, DNS response codes, and DNS map sizing panels to the service debug dashboard.
• Adjusted panel grid positions to accommodate the new rows.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
dashboards/grafana/kuma-service-debug.json	Adds DNS-focused panels (queries, response codes, map size) and shifts layout to fit them.
dashboards/grafana/kuma-control-plane.json	Adds operational control-plane panels (xDS snapshot sizing, KDS health, VIP exhaustion, cert expiry, injection outcomes) and shifts layout accordingly.

[github-actions]

Reviewer Checklist

🔍 Each of these sections need to be checked by the reviewer of the PR 🔍:
If something doesn't apply please check the box and add a justification if the reason is non obvious.

• Is the PR title satisfactory? Is this part of a larger feature and should be grouped using > Changelog?
• PR description is clear and complete. It Links to relevant issue as well as docs and UI issues
• This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as an image registry)
• IPv6 is taken into account (.e.g: no string concatenation of host port)
• Tests (Unit test, E2E tests, manual test on universal and k8s)
  • Don't forget ci/ labels to run additional/fewer tests
• Does this contain a change that needs to be notified to users? In this case, UPGRADE.md should be updated.
• Does it need to be backported according to the backporting policy? (this GH action will add "backport" label based on these file globs, if you want to prevent it from adding the "backport" label use no-backport-autolabel label)