deploy: add Gitea registry pull secret and ExternalSecret

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

deploy/deployment_gateway-cert-operator.yaml

@@ -17,6 +17,8 @@ spec:
         app.kubernetes.io/name: gateway-cert-operator
         app.kubernetes.io/component: operator
     spec:
+      imagePullSecrets:
+        - name: gitea-registry
       serviceAccountName: gateway-cert-operator
       terminationGracePeriodSeconds: 10
       securityContext:

deploy/externalsecret_gitea-registry.yaml

@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-registry
+  namespace: fujarna
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: gitea-registry
+    creationPolicy: Owner
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: "{{ .token }}"
+  data:
+    - secretKey: token
+      remoteRef:
+        key: k8s_home/gitea/container-registry
+        property: token

deploy/kustomization.yaml

@@ -3,6 +3,7 @@ kind: Kustomization
 
 resources:
   - namespace_gateway-cert-operator-system.yaml
+  - externalsecret_gitea-registry.yaml
   - serviceaccount_gateway-cert-operator.yaml
   - clusterrole_gateway-cert-operator.yaml
   - clusterrolebinding_gateway-cert-operator.yaml