Fix Gitea DB auth: use additionalConfigFromEnvs for password

The _secret/_key syntax doesn't work in Gitea Helm values. Use
additionalConfigFromEnvs to inject GITEA__database__PASSWD from
the sealed secret, which the chart translates into app.ini config.

infra/kubernetes/platform/gitea/application.yaml

@@ -26,15 +26,18 @@ spec:
         gitea:
           admin:
             existingSecret: gitea-admin-credentials
+          additionalConfigFromEnvs:
+            - name: GITEA__database__PASSWD
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-pg-credentials
+                  key: password
           config:
             database:
               DB_TYPE: postgres
               HOST: gitea-pg-rw.platform.svc:5432
               NAME: gitea
               USER: gitea
-              PASSWD:
-                _secret: gitea-pg-credentials
-                _key: password
             cache:
               ADAPTER: redis
               HOST: redis://valkey.platform.svc:6379/0