stage/prod: bootstrap apps only, prod ksops keys

Bootstrap: cert-manager kargo kargo-infra-pipeline kargo-ci-pipeline kargo-test-env-pipeline kargo-credentials
Other apps arrive via Kargo promotion (dev → test → PR → prod)

infra/traefik-routes/manifests/gitea-ingress.yaml

@@ -1,41 +0,0 @@
-# Gitea HTTPS IngressRoute via Traefik
-# Uses default TLS store (wildcard-tls from kube-system via TLSStore)
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: gitea-https
-  namespace: gitea
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: HostRegexp(`gitea.k3s\..+\.local`)
-      kind: Rule
-      middlewares:
-        - name: sslheader
-          namespace: kube-system
-        - name: gitea-buffer-timeout
-          namespace: gitea
-      services:
-        - name: gitea-http
-          port: 3000
-  tls: {}
----
-# HTTP → HTTPS redirect for Gitea
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: gitea-http-redirect
-  namespace: gitea
-spec:
-  entryPoints:
-    - web
-  routes:
-    - match: HostRegexp(`gitea.k3s\..+\.local`)
-      kind: Rule
-      middlewares:
-        - name: redirect-https
-          namespace: kube-system
-      services:
-        - name: gitea-http
-          port: 3000