refactor: bootstrap/infra/ci separation (#27)

- Create bootstrap/ dir: cert-manager, traefik-routes, argo-rollouts,
  kargo, kargo-*-pipeline (not managed by Kargo promotion)
- infra/ now only: gitea, gitea-custom (promoted by Kargo)
- ci/ unchanged: gitea-runner (promoted by Kargo)
- Split kargo/credentials/ into dev/ and prod/ with separate ksops generators
- Remove kargo-credentials from AppSet (managed by Pulumi Go code)
- Update infra Warehouse: only gitea (was also argo-rollouts, cert-manager)
- Update infra Stage dev: only yaml-update for gitea version
- Fix test-env warehouse: valid subscription instead of empty array
- Update step numbers: bootstrap 1-5, infra 1-2

bootstrap/traefik-routes/manifests/gitea-ingress.yaml

@@ -0,0 +1,41 @@
+# Gitea HTTPS IngressRoute via Traefik
+# Uses default TLS store (wildcard-tls from kube-system via TLSStore)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-https
+  namespace: gitea
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: HostRegexp(`gitea.k3s\..+\.local`)
+      kind: Rule
+      middlewares:
+        - name: sslheader
+          namespace: kube-system
+        - name: gitea-buffer-timeout
+          namespace: gitea
+      services:
+        - name: gitea-http
+          port: 3000
+  tls: {}
+---
+# HTTP → HTTPS redirect for Gitea
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-http-redirect
+  namespace: gitea
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: HostRegexp(`gitea.k3s\..+\.local`)
+      kind: Rule
+      middlewares:
+        - name: redirect-https
+          namespace: kube-system
+      services:
+        - name: gitea-http
+          port: 3000