docs: document COOKIE_SECURE and OIDC_DISCOVERY_URL across all config files

Adds COOKIE_SECURE (fixes login loop on plain-HTTP setups) and the previously
undocumented OIDC_DISCOVERY_URL to .env.example, docker-compose.yml, README.md,
chart/values.yaml, chart/templates/configmap.yaml, and chart/README.md.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

server/.env.example

@@ -10,6 +10,7 @@ LOG_LEVEL=info # info = concise user actions; debug = verbose admin-level detail
 
 ALLOWED_ORIGINS=https://trek.example.com # Comma-separated origins for CORS and email links
 FORCE_HTTPS=false # Redirect HTTP → HTTPS behind a TLS proxy
+COOKIE_SECURE=true # Set to false to allow session cookies over HTTP (e.g. plain-IP or non-HTTPS setups). Defaults to true in production.
 TRUST_PROXY=1 # Number of trusted proxies for X-Forwarded-For
 ALLOW_INTERNAL_NETWORK=false # Allow outbound requests to private/RFC1918 IPs (e.g. Immich hosted on your LAN). Loopback and link-local addresses are always blocked.
 
@@ -22,6 +23,6 @@ OIDC_DISPLAY_NAME=SSO # Label shown on the SSO login button
 OIDC_ONLY=true # Disable local password auth entirely (SSO only)
 OIDC_ADMIN_CLAIM=groups # OIDC claim used to identify admin users
 OIDC_ADMIN_VALUE=app-trek-admins # Value of the OIDC claim that grants admin role
-OIDC_DISCOVERY_URL= # Override the auto-constructed discovery endpoint (e.g. Authentik: https://auth.example.com/application/o/trek/.well-known/openid-configuration)
+OIDC_DISCOVERY_URL= # Override the auto-constructed OIDC discovery endpoint. Useful for providers (e.g. Authentik) that expose it at a non-standard path. Example: https://auth.example.com/application/o/trek/.well-known/openid-configuration
 
 DEMO_MODE=false # Demo mode - resets data hourly