feat(nowchess): add Kargo project, Rollouts deployment, and secrets

- 9 Kargo Warehouses (one per microservice), staging + prod stages
- PromotionTask: clone GitOps, kustomize-set-image, Gitea PR, ArgoCD sync
- BlueGreen Rollouts for all 9 services with health probes and envFrom
- staging,deployed / production,deployed Quarkus multi-profile support
- CORS_ORIGINS and QUARKUS_PROFILE injected via nowchess-env-config ConfigMap
- Plain K8s Secrets with empty values in secrets/nowchess/ (staging, prod, kargo)
- ArgoCD Applications for kargo project, staging, and prod deployments

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

secrets/kustomization.yaml

@@ -7,3 +7,13 @@ resources:
   - github/git-kargo-secret.yaml
   - github/git-nowchess-secret.yaml
   - github/git-pull-secret.yaml
+  - nowchess/staging/ghcr-pull-secret.yaml
+  - nowchess/staging/ncs-jwt-keys.yaml
+  - nowchess/staging/ncs-db-secrets.yaml
+  - nowchess/staging/ncs-internal-secret.yaml
+  - nowchess/prod/ghcr-pull-secret.yaml
+  - nowchess/prod/ncs-jwt-keys.yaml
+  - nowchess/prod/ncs-db-secrets.yaml
+  - nowchess/prod/ncs-internal-secret.yaml
+  - nowchess/kargo/git-secret.yaml
+  - nowchess/kargo/gitea-secret.yaml

secrets/nowchess/kargo/git-secret.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-kargo-secret
+  namespace: nowchess-kargo
+  labels:
+    kargo.akuity.io/cred-type: git
+type: Opaque
+stringData:
+  repoURL: https://git.janis-eccarius.de/NowChess/Gitops.git
+  repoURLIsRegex: "false"
+  username: ""
+  password: ""

secrets/nowchess/kargo/gitea-secret.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea
+  namespace: nowchess-kargo
+  labels:
+    kargo.akuity.io/cred-type: git
+type: Opaque
+stringData:
+  repoURL: https://git.janis-eccarius.de/NowChess/Gitops.git
+  username: ""
+  password: ""

secrets/nowchess/prod/ghcr-pull-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ghcr-pull-secret
+  namespace: nowchess
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: ""

secrets/nowchess/prod/ncs-db-secrets.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ncs-db-secrets
+  namespace: nowchess
+type: Opaque
+stringData:
+  ACCOUNT_DB_USER: ""
+  ACCOUNT_DB_PASSWORD: ""
+  ACCOUNT_DB_URL: ""
+  STORE_DB_USER: ""
+  STORE_DB_PASSWORD: ""
+  STORE_DB_URL: ""

secrets/nowchess/prod/ncs-internal-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ncs-internal-secret
+  namespace: nowchess
+type: Opaque
+stringData:
+  INTERNAL_SECRET: ""

secrets/nowchess/prod/ncs-jwt-keys.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ncs-jwt-keys
+  namespace: nowchess
+type: Opaque
+stringData:
+  private.pem: ""
+  public.pem: ""

secrets/nowchess/staging/ghcr-pull-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ghcr-pull-secret
+  namespace: nowchess-staging
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: ""

secrets/nowchess/staging/ncs-db-secrets.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ncs-db-secrets
+  namespace: nowchess-staging
+type: Opaque
+stringData:
+  ACCOUNT_DB_USER: ""
+  ACCOUNT_DB_PASSWORD: ""
+  ACCOUNT_DB_URL: ""
+  STORE_DB_USER: ""
+  STORE_DB_PASSWORD: ""
+  STORE_DB_URL: ""

secrets/nowchess/staging/ncs-internal-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ncs-internal-secret
+  namespace: nowchess-staging
+type: Opaque
+stringData:
+  INTERNAL_SECRET: ""

secrets/nowchess/staging/ncs-jwt-keys.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ncs-jwt-keys
+  namespace: nowchess-staging
+type: Opaque
+stringData:
+  private.pem: ""
+  public.pem: ""