CHORE(deploy): use argocd for kaniko

Infrastructure as Code:
- Add Kaniko namespace and RBAC manifests
- Create ArgoCD Application for Kaniko infrastructure
- Kustomize configuration for Kaniko resources

Workflow improvements:
- Remove kubeconfig dependency
- Use in-cluster ServiceAccount (runner runs in K8s)
- Remove all sudo commands
- Simplify Kubernetes access

GitOps workflow:
1. Push manifests to Git
2. ArgoCD auto-syncs infrastructure
3. Gitea runner uses ServiceAccount permissions
4. Kaniko builds run in kaniko-builds namespace

Benefits:
- True GitOps approach
- No secrets management needed
- Declarative infrastructure
- ArgoCD handles reconciliation
- Audit trail in Git

.gitea/workflows/build.yml

@@ -35,24 +35,11 @@ jobs:
           fi
           kubectl version --client
 
-      - name: Setup kubeconfig
-        env:
-          KUBECONFIG_CONTENT: ${{ secrets.KUBECONFIG }}
+      - name: Setup Kubernetes access
         run: |
-          mkdir -p $HOME/.kube
-
-          if [ -z "$KUBECONFIG_CONTENT" ]; then
-            echo "❌ ERROR: KUBECONFIG secret is not set."
-            echo "Please add kubeconfig to Gitea Secrets with name 'KUBECONFIG'"
-            exit 1
-          fi
-
-          # Decode and save kubeconfig
-          echo "$KUBECONFIG_CONTENT" | base64 -d > $HOME/.kube/config
-          chmod 600 $HOME/.kube/config
-
-          # Test connection
-          echo "Testing Kubernetes connection..."
+          # Running in Kubernetes Pod - use in-cluster config
+          echo "Running in Kubernetes - using ServiceAccount"
+          kubectl version
           kubectl get nodes -o wide
 
       - name: Lowercase repository name
@@ -75,19 +62,16 @@ jobs:
 
       - name: Create Kaniko build context
         run: |
-          # Create tar.gz of build context
-          tar czf /tmp/build-context.tar.gz -C services/nextjs .
-
-          # Create namespace if not exists
-          sudo kubectl get namespace kaniko-builds 2>/dev/null || sudo kubectl create namespace kaniko-builds
+          # Create namespace if not exists (will be created by ArgoCD, but check anyway)
+          kubectl get namespace kaniko-builds 2>/dev/null || kubectl create namespace kaniko-builds
 
           # Create/update registry credentials secret
-          sudo kubectl create secret docker-registry kaniko-registry-creds \
+          kubectl create secret docker-registry kaniko-registry-creds \
             --docker-server=${{ env.REGISTRY }} \
             --docker-username=bluemayne \
             --docker-password=${{ secrets.GITEAREGISTRY }} \
             --namespace=kaniko-builds \
-            --dry-run=client -o yaml | sudo kubectl apply -f -
+            --dry-run=client -o yaml | kubectl apply -f -
 
       - name: Build and push with Kaniko on Kubernetes
         id: build
@@ -115,29 +99,29 @@ jobs:
           cat /tmp/kaniko-job.yaml
 
           # Apply the Job
-          sudo kubectl apply -f /tmp/kaniko-job.yaml
+          kubectl apply -f /tmp/kaniko-job.yaml
 
           # Wait for job to complete
           echo "⏳ Waiting for Kaniko job to complete..."
-          sudo kubectl wait --for=condition=complete --timeout=600s job/${BUILD_NAME} -n kaniko-builds || {
+          kubectl wait --for=condition=complete --timeout=600s job/${BUILD_NAME} -n kaniko-builds || {
             echo "❌ Job failed or timed out. Showing logs:"
-            POD=$(sudo kubectl get pods -n kaniko-builds -l job-name=${BUILD_NAME} -o jsonpath='{.items[0].metadata.name}')
-            sudo kubectl logs -n kaniko-builds ${POD} --all-containers=true || true
-            sudo kubectl delete job ${BUILD_NAME} -n kaniko-builds || true
-            sudo kubectl delete configmap ${BUILD_NAME}-dockerfile -n kaniko-builds || true
+            POD=$(kubectl get pods -n kaniko-builds -l job-name=${BUILD_NAME} -o jsonpath='{.items[0].metadata.name}')
+            kubectl logs -n kaniko-builds ${POD} --all-containers=true || true
+            kubectl delete job ${BUILD_NAME} -n kaniko-builds || true
+            kubectl delete configmap ${BUILD_NAME}-dockerfile -n kaniko-builds || true
             exit 1
           }
 
           echo "✅ Image built successfully"
 
           # Get digest from logs
-          POD=$(sudo kubectl get pods -n kaniko-builds -l job-name=${BUILD_NAME} -o jsonpath='{.items[0].metadata.name}')
-          DIGEST=$(sudo kubectl logs -n kaniko-builds ${POD} -c kaniko 2>/dev/null | grep -oP 'digest: \K[a-zA-Z0-9:]+' | tail -1 || echo "unknown")
+          POD=$(kubectl get pods -n kaniko-builds -l job-name=${BUILD_NAME} -o jsonpath='{.items[0].metadata.name}')
+          DIGEST=$(kubectl logs -n kaniko-builds ${POD} -c kaniko 2>/dev/null | grep -oP 'digest: \K[a-zA-Z0-9:]+' | tail -1 || echo "unknown")
           echo "digest=${DIGEST}" >> $GITHUB_OUTPUT
 
           # Cleanup
-          sudo kubectl delete job ${BUILD_NAME} -n kaniko-builds || true
-          sudo kubectl delete configmap ${BUILD_NAME}-dockerfile -n kaniko-builds || true
+          kubectl delete job ${BUILD_NAME} -n kaniko-builds || true
+          kubectl delete configmap ${BUILD_NAME}-dockerfile -n kaniko-builds || true
 
       - name: Extract SHA tag
         id: extract-tag