Add Gitea self-hosted git/CI/registry to replace GitHub

Deploy Gitea via Helm with dedicated CloudNativePG database,
in-cluster Actions runner (DinD), and built-in container registry.
ArgoCD repoURLs updated to use in-cluster Gitea SSH. Preview
ApplicationSet switched from GitHub PR generator to Gitea PR
generator. App images now pull from gitea.coreworlds.io registry.

Remaining setup after deploy: seal runner token, ArgoCD API token,
and registry pull secret once Gitea is running. Add ArgoCD deploy
key to Gitea repo settings.

infra/kubernetes/platform/traefik/certificate-internal.yaml

@@ -49,3 +49,16 @@ spec:
     kind: ClusterIssuer
   dnsNames:
     - harness.coreworlds.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitea-tls
+  namespace: platform
+spec:
+  secretName: gitea-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  dnsNames:
+    - gitea.coreworlds.io

infra/kubernetes/platform/traefik/ingressroute-gitea.yaml

@@ -0,0 +1,19 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea
+  namespace: platform
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`gitea.coreworlds.io`)
+      kind: Rule
+      services:
+        - name: gitea-http
+          namespace: platform
+          port: 3000
+  tls:
+    secretName: gitea-tls

infra/kubernetes/platform/traefik/kustomization.yaml

@@ -8,5 +8,6 @@ resources:
   - ingressroute-grafana.yaml
   - ingressroute-longhorn.yaml
   - ingressroute-harness.yaml
+  - ingressroute-gitea.yaml
   - certificate-internal.yaml
   - servicemonitor.yaml