refactor: bootstrap/infra/ci separation (#27)

- Create bootstrap/ dir: cert-manager, traefik-routes, argo-rollouts,
  kargo, kargo-*-pipeline (not managed by Kargo promotion)
- infra/ now only: gitea, gitea-custom (promoted by Kargo)
- ci/ unchanged: gitea-runner (promoted by Kargo)
- Split kargo/credentials/ into dev/ and prod/ with separate ksops generators
- Remove kargo-credentials from AppSet (managed by Pulumi Go code)
- Update infra Warehouse: only gitea (was also argo-rollouts, cert-manager)
- Update infra Stage dev: only yaml-update for gitea version
- Fix test-env warehouse: valid subscription instead of empty array
- Update step numbers: bootstrap 1-5, infra 1-2

kargo/credentials/dev/git-creds-ci.dev.enc.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-creds
+    namespace: ci
+    labels:
+        kargo.akuity.io/cred-type: git
+type: Opaque
+stringData:
+    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
+    username: Kargones
+    password: ENC[AES256_GCM,data:m9CZFhTHwaX6TrpGtbAynbI7eiprSrhCVVtST6fWiduFP55/EWtx1Q==,iv:iAjeVVakD8SZWhaEBu7JVR1YL2UGzYNBoy1W13M+Jwg=,tag:ABSswqyDhJG8+zlu8dWrgg==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOWI4eWZxOERjRHVhV1VI
+            MVE3WDErejZrNzBaRnVHK280dXI4WThxR2tvCmVzbE1HR1MzcEgybm8vUVVSOWJY
+            VlVvREl4NVRDRElHVHk5aWpnVkVhNW8KLS0tIG5FOXRwRy8xakFvaVlBTXF5OXJJ
+            aHFlbWh0Ym1NWEswbFM5N01JRGtGMUUKyjiN+bK0+6PLc/LG/dozgrAhB4PLcZmV
+            JVtxrSZWV6RQOuvc/HUw2yhO3dJldYqWauX+7ZOy2o1JACdPe9ixdQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHWU9JLzdwbDI1SDJ3MnlE
+            YnlRQkdzWExpa1FGNjArSHFCamc2bWJnbjBBCnlkQlVEQVNDTXMvZ3NWRzhyT2lM
+            R0FpVUdleUVUcVVrTnRxQjVnSFo3S2cKLS0tIG1MZ0hYdGJpdTJ3WWU3MU1WeWFr
+            cklvSldLdW5ERDF1aW95dDlxOUtGbDAK7uoTP8idcEM8rQ7rRashsbzc9f4S7qI9
+            Bl87wLgMAFYfFO41cwSqhMY+gr7HRkDQq65CWo8HpQjMMlneC72jVQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-11T06:58:02Z"
+    mac: ENC[AES256_GCM,data:OYJAnGhgB0sOC2KEgse7ZYMkrvrRNsMWqVQZM29VbhPbvp3s3GMmJPROPydsjvm6OE4EIi0C6ry2h9pGoRY5IApw6+tSXVmrlr3oQIjkGqimJVdJ0oBSwEYtZ6gNKpsn1I7ZthXCHBfZmmESkYiTJj8ogdXxNLIqydIuITengpI=,iv:IpBxWcDeGUD9ucIAVjY3Ojc0wd63nWDPDIcH8OtvJY8=,tag:yDZ8d9E9dufB/iGTk71t2Q==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    version: 3.12.1

kargo/credentials/dev/git-creds-infra.dev.enc.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-creds
+    namespace: infra
+    labels:
+        kargo.akuity.io/cred-type: git
+type: Opaque
+stringData:
+    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
+    username: Kargones
+    password: ENC[AES256_GCM,data:lzaZLTkmA68DadpquacJNc6CMxwv3wOlWh6Ze8e23F9lzFKw3oB5gg==,iv:9EZUg6DSUFnNddOaiB2oIfNYhaOKKkrP9Hkf+5OGcLk=,tag:rr6ej2x87mquQbXiBM7+Ow==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCeGdkaVJiNWE0Q0xWbTVT
+            dkZDN296VXJUMktMVUZ2U3FyeUwvVzBSaWc0CmRlWFpLdTlCNXl3eEtKcDRrUzhV
+            SG9KdkhlSTg0SnZwK3BvS0hkT3FjbjgKLS0tIDA2Y1lic053ejR0UWZUekZ1Y1JK
+            c2llUmhKNTRjaW1zQ3AyZzUvR1VRUG8KuFXq5pbpEEZd3P/E5bD0FCuSOIuGCsJL
+            bUx6VucI1zZF0DbXjzr28FsxqSJW4GiCpDscj1LGQIZa5jvj8aWMXA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRlh5SXdkTmZOVUdXc21N
+            aXNZaDhydXA3dUU4OHlidmViM2xUQU5rNDF3Ck9iditWSWcyaWoxNTVTRzN5Y0ZU
+            c21BT2R6U2lxNkh6cU9kdjFSRUVjUWsKLS0tIHBwWGI1R2p0TTg1amFRM2FlYVQx
+            Q2lIZDJ0ZkliWEtiVGd5eXIxMjB1OGMKeK2iTyPBrcIWByU9QXZ3Ora7gylwC66g
+            diGbcUF5ER7mUt0KEILTwuMkTUbhy1F5zLYB7p4e49YdY2O8mz51SA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-11T06:58:02Z"
+    mac: ENC[AES256_GCM,data:dzyW+dAsjPDrZQ3EWNnhLWfd9DSmRVSp1Qrm+nx4qFfsRoS5y61jnkhVyupq2OUVsuUTuePIAqmZQI16HD0TTMJIN9UKPdW2sEj/DGwdBXqcJRs6mvJlv79Jh2VlzJdJSpZf/YhCBVIVThZqrWBI1T1jPdN1gaJ0ov6cSAqYjPU=,iv:MMhdUthu2nUFJOkxXz00xXMiH7tit7sNejU/aXuQOmY=,tag:+NSHR9T4wlpJaBH5ZdxhvA==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    version: 3.12.1

kargo/credentials/dev/git-creds-test-env.dev.enc.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-creds
+    namespace: test-env
+    labels:
+        kargo.akuity.io/cred-type: git
+type: Opaque
+stringData:
+    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
+    username: Kargones
+    password: ENC[AES256_GCM,data:pGwKoR6eurha3ATmL0XP01DTK3qXCxAV3SdFYmNFokKMZI+VuzZ/GQ==,iv:DKVdeBRQS+HjPkHftJZZuXf7yB+I18Ae3iK+7L+hZQ0=,tag:/K6twgUKTNrn6s1rDTAeQA==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYTk5seDNiR2dRcXRRclJZ
+            UlNuRXZGd3ZMTDNsaHVrYUtnUmsyNk1IVkJFCmo0Y0pwdnlsay9qcy8rakk4ejBF
+            VHAzbmRObUFVVVpZN0JraHRlVmhhNW8KLS0tIHNXd01OUnVxclRXcE9iNFNzZS9S
+            UlQzRnlSb2F0Y0J0eVdZN1BSelRrSWcK8V99m3Hh2mOm9csGG42k4FIeFbQnkXIr
+            w3elSENAib0rFz7Uewpn1VD3yjFL7SVv33bVOEuM3KlHDtUnF6fuuQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOS05ZanNzMWRFRG5EUlNq
+            WmtLUHpHRE0rWXRuVXRLRDFiRDZSZmdEc2lnCmMrbHRxRUhIWDFkaTJlekxrckxj
+            V3ROU25aOVZGVzVUY3IwRlhwYWhBWEUKLS0tIHZCS1ZobFlqQ2NZSUt3N1VSV2l4
+            SmVWWDRhckRxek1jRFpPUnIxb0QxaDQKmkVXDqP0tjaWo/fkdqrIatV/bhyQt9vb
+            Rzz21KATjKow6VtekA3FVOVchlDsaYDLkhuLI69I1lIYqR99ovS+8w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-11T06:58:02Z"
+    mac: ENC[AES256_GCM,data:CDESJXzhctA4WexUb2hP6ykWkRCWUsgIYHOSmRnHUlyf6Pd8uF43Bl/+ZHWhE6SLWf3LKGMOKSU60Qkh1aSH+Z9BqaiKa3dL0MIQx4yXRe9NzS/mEki4IsuQi27AZ6BKD93tznyVKbCAzxmyP1jRhbRNIKBA2dWoQAITX1w2vvA=,iv:l8JZK3a17DfIn3llapKnUZH7SRNCte5MNPZzjtPJbxA=,tag:rEcarIr7UhsV+THixTUiKw==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    version: 3.12.1

kargo/credentials/dev/ksops-generator.yaml

@@ -0,0 +1,12 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: kargo-git-credentials
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+  - git-creds-infra.dev.enc.yaml
+  - git-creds-ci.dev.enc.yaml
+  - git-creds-test-env.dev.enc.yaml

kargo/credentials/dev/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+generators:
+  - ksops-generator.yaml