REFACTOR(k8s): reorganize to base/overlays pattern

- Add k8s/base/ with deployment and service
- Add k8s/overlays/prod/ with environment config

deploy/k8s/overlays/prod/externalsecret.yaml

@@ -0,0 +1,66 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: mas-api-keys
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: mas-api-keys
+    creationPolicy: Owner
+  data:
+    - secretKey: anthropic-api-key
+      remoteRef:
+        key: mas/api-keys
+        property: ANTHROPIC_API_KEY
+    - secretKey: groq-api-key
+      remoteRef:
+        key: mas/api-keys
+        property: GROQ_API_KEY
+    - secretKey: openai-api-key
+      remoteRef:
+        key: mas/api-keys
+        property: OPENAI_API_KEY
+    - secretKey: google-api-key
+      remoteRef:
+        key: mas/api-keys
+        property: GOOGLE_API_KEY
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: mas-postgres
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: mas-postgres
+    creationPolicy: Owner
+  data:
+    - secretKey: password
+      remoteRef:
+        key: mas/postgres
+        property: PASSWORD
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: postgresql-root-password
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: postgresql-root-password
+    creationPolicy: Owner
+  data:
+    - secretKey: password
+      remoteRef:
+        key: databases/postgresql
+        property: PASSWORD
+