Add Certificate resources for internal IngressRoutes

cert-manager annotations don't work on Traefik IngressRoutes — explicit
Certificate resources are needed to trigger Let's Encrypt issuance.

infra/kubernetes/platform/traefik/certificate-internal.yaml

@@ -0,0 +1,38 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: argocd-tls
+  namespace: platform
+spec:
+  secretName: argocd-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  dnsNames:
+    - argocd.coreworlds.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: grafana-tls
+  namespace: platform
+spec:
+  secretName: grafana-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  dnsNames:
+    - grafana.coreworlds.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: longhorn-tls
+  namespace: platform
+spec:
+  secretName: longhorn-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  dnsNames:
+    - longhorn.coreworlds.io

infra/kubernetes/platform/traefik/kustomization.yaml

@@ -7,3 +7,4 @@ resources:
   - ingressroute-argocd.yaml
   - ingressroute-grafana.yaml
   - ingressroute-longhorn.yaml
+  - certificate-internal.yaml