refactor: bootstrap/infra/ci separation (#27)

- Create bootstrap/ dir: cert-manager, traefik-routes, argo-rollouts,
  kargo, kargo-*-pipeline (not managed by Kargo promotion)
- infra/ now only: gitea, gitea-custom (promoted by Kargo)
- ci/ unchanged: gitea-runner (promoted by Kargo)
- Split kargo/credentials/ into dev/ and prod/ with separate ksops generators
- Remove kargo-credentials from AppSet (managed by Pulumi Go code)
- Update infra Warehouse: only gitea (was also argo-rollouts, cert-manager)
- Update infra Stage dev: only yaml-update for gitea version
- Fix test-env warehouse: valid subscription instead of empty array
- Update step numbers: bootstrap 1-5, infra 1-2

bootstrap/traefik-routes/config.yaml

@@ -0,0 +1,10 @@
+{
+  "name": "traefik-routes",
+  "namespace": "kube-system",
+  "step": "2",
+  "source": {
+    "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
+    "path": "infra/traefik-routes/manifests",
+    "targetRevision": "main"
+  }
+}

bootstrap/traefik-routes/manifests/gitea-ingress.yaml

@@ -0,0 +1,41 @@
+# Gitea HTTPS IngressRoute via Traefik
+# Uses default TLS store (wildcard-tls from kube-system via TLSStore)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-https
+  namespace: gitea
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: HostRegexp(`gitea.k3s\..+\.local`)
+      kind: Rule
+      middlewares:
+        - name: sslheader
+          namespace: kube-system
+        - name: gitea-buffer-timeout
+          namespace: gitea
+      services:
+        - name: gitea-http
+          port: 3000
+  tls: {}
+---
+# HTTP → HTTPS redirect for Gitea
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-http-redirect
+  namespace: gitea
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: HostRegexp(`gitea.k3s\..+\.local`)
+      kind: Rule
+      middlewares:
+        - name: redirect-https
+          namespace: kube-system
+      services:
+        - name: gitea-http
+          port: 3000

bootstrap/traefik-routes/manifests/gitea-ssh.yaml

@@ -0,0 +1,14 @@
+# Gitea SSH access via Traefik TCP routing (port 2222)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: gitea-ssh
+  namespace: gitea
+spec:
+  entryPoints:
+    - ssh
+  routes:
+    - match: HostSNI(`*`)
+      services:
+        - name: gitea-ssh
+          port: 22

bootstrap/traefik-routes/manifests/kargo-ingress.yaml

@@ -0,0 +1,21 @@
+# Kargo dashboard HTTPS IngressRoute
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kargo-https
+  namespace: kargo
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: HostRegexp(`kargo.k3s\..+\.local`)
+      kind: Rule
+      middlewares:
+        - name: kargo-tls-middleware
+          namespace: kargo
+      services:
+        - name: kargo-api
+          port: 443
+          scheme: https
+          serversTransport: kargo-skip-verify
+  tls: {}

bootstrap/traefik-routes/manifests/kargo-transport.yaml

@@ -0,0 +1,8 @@
+# ServersTransport to skip TLS verification for Kargo backend (self-signed cert)
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: kargo-skip-verify
+  namespace: kargo
+spec:
+  insecureSkipVerify: true

bootstrap/traefik-routes/manifests/middlewares.yaml

@@ -0,0 +1,57 @@
+# HTTP → HTTPS redirect
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-https
+  namespace: kube-system
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+---
+# Forward X-Forwarded-Proto header for backends behind TLS termination
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: sslheader
+  namespace: kube-system
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
+---
+# Gitea: buffer large requests (git push) + timeout for CI builds
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: gitea-buffer-timeout
+  namespace: gitea
+spec:
+  buffering:
+    maxRequestBodyBytes: 0
+    maxResponseBodyBytes: 0
+    memRequestBodyBytes: 20971520
+    memResponseBodyBytes: 20971520
+    retryExpression: "IsNetworkError()"
+---
+# ArgoCD: X-Forwarded-Proto for TLS termination
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: argocd-tls-middleware
+  namespace: argocd
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
+---
+# Kargo: X-Forwarded-Proto for TLS termination
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: kargo-tls-middleware
+  namespace: kargo
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"

bootstrap/traefik-routes/manifests/namespaces.yaml

@@ -0,0 +1,14 @@
+# Ensure namespaces exist for cross-namespace middleware references
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea
+  labels:
+    name: gitea
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kargo
+  labels:
+    name: kargo

bootstrap/traefik-routes/manifests/tls-store.yaml

@@ -0,0 +1,10 @@
+# Default TLS store — uses wildcard-tls from kube-system as default cert.
+# All IngressRoutes with tls: {} will use this certificate.
+apiVersion: traefik.io/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: kube-system
+spec:
+  defaultCertificate:
+    secretName: wildcard-tls

bootstrap/traefik-routes/manifests/traefik-dashboard.yaml

@@ -0,0 +1,19 @@
+# Traefik Dashboard IngressRoute
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: kube-system
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: HostRegexp(`traefik.k3s\..+\.local`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
+      kind: Rule
+      middlewares:
+        - name: sslheader
+          namespace: kube-system
+      services:
+        - name: api@internal
+          kind: TraefikService
+  tls: {}