fix(k8s/infra): split infrastructure into controllers and configs stages

ClusterIssuer dry-run fails because cert-manager CRDs are not yet
installed when the single infrastructure Kustomization is applied.
Split into infrastructure-controllers (Helm charts that install CRDs)
and infrastructure-configs (CRD-dependent resources like ClusterIssuer)
with a dependency between them.

kubernetes/infrastructure/controllers/traefik/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik
+  labels:
+    pod-security.kubernetes.io/enforce: privileged

kubernetes/infrastructure/controllers/traefik/release.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: traefik
+  namespace: traefik
+spec:
+  chart:
+    spec:
+      chart: traefik
+      version: 39.0.0
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: traefik
+        namespace: flux-system
+  interval: 1m0s
+  values:
+    service:
+      type: ClusterIP
+    ports:
+      web:
+        hostPort: 80
+      websecure:
+        hostPort: 443

kubernetes/infrastructure/controllers/traefik/repository.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: traefik
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  url: https://traefik.github.io/charts