deploy: add Gitea registry pull secret and ExternalSecret

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/kubernetes-deploy.yaml

@@ -106,4 +106,4 @@ jobs:
           kubectl auth whoami
           kubectl get ns
 
-          kubectl apply -f deploy/
+          kubectl apply -k deploy/

deploy/deployment_gateway-cert-operator.yaml

@@ -17,6 +17,8 @@ spec:
         app.kubernetes.io/name: gateway-cert-operator
         app.kubernetes.io/component: operator
     spec:
+      imagePullSecrets:
+        - name: gitea-registry
       serviceAccountName: gateway-cert-operator
       terminationGracePeriodSeconds: 10
       securityContext:

deploy/externalsecret_gitea-registry.yaml

@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-registry
+  namespace: fujarna
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: gitea-registry
+    creationPolicy: Owner
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: "{{ .token }}"
+  data:
+    - secretKey: token
+      remoteRef:
+        key: k8s_home/gitea/container-registry
+        property: token

deploy/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace_gateway-cert-operator-system.yaml
+  - externalsecret_gitea-registry.yaml
+  - serviceaccount_gateway-cert-operator.yaml
+  - clusterrole_gateway-cert-operator.yaml
+  - clusterrolebinding_gateway-cert-operator.yaml
+  - deployment_gateway-cert-operator.yaml
+  - service_gateway-cert-operator-metrics.yaml