feat: support Argo CD Git auth modes

[Matthiator]

📝 Summary

Adds mode-aware Argo CD Git repository authentication for bootstrap:

• supports https, ssh, and github-app via ARGOCD_GIT_AUTH_MODE
• keeps existing HTTPS/PAT setups backward compatible through ARGOCD_GIT_HTTPS_URL
• writes initial Argo CD repository Secrets with the correct fields for each auth mode
• stores generated repository URLs under argocd.repo.git
• bumps the config schema to v1alpha2 and migrates existing v1alpha1 configs on load/save
• migrates argocd.repo.https to argocd.repo.git
• removes the redundant terraform.dns.name; Terraform now uses the cluster dnsName
• migrates terraform.dns.email to terraform.dnsContactEmail
• documents PAT/machine-account guidance and SSH known-host requirements

Example from kubara init --prep:

### Git repository values
# ARGOCD_GIT_AUTH_MODE supports: https, ssh, github-app. Empty keeps the legacy https mode.
ARGOCD_GIT_AUTH_MODE='https'
# Prefer ARGOCD_GIT_URL for new setups. ARGOCD_GIT_HTTPS_URL is kept for backward compatibility with existing .env files.
ARGOCD_GIT_URL=''
ARGOCD_GIT_HTTPS_URL='<...>'
# HTTPS mode uses username + password/PAT. PAT usually means Personal Access Token; prefer a technical or machine account, not a personal user account.
ARGOCD_GIT_PAT_OR_PASSWORD='<...>'
ARGOCD_GIT_USERNAME='<...>'
# SSH mode uses ARGOCD_GIT_SSH_PRIVATE_KEY and requires trusted SSH host keys in Argo CD known_hosts.
ARGOCD_GIT_SSH_PRIVATE_KEY=''
# GitHub App mode uses the GitHub App IDs and private key. Enterprise base URL is optional.
ARGOCD_GIT_GITHUB_APP_ID=''
ARGOCD_GIT_GITHUB_APP_INSTALLATION_ID=''
ARGOCD_GIT_GITHUB_APP_PRIVATE_KEY=''
ARGOCD_GIT_GITHUB_APP_ENTERPRISE_BASE_URL=''

Generated config.yaml for HTTPS/PAT:

argocd:
  repo:
    authMode: https
    git:
      customer:
        url: https://github.com/kubara-io/platform.git
        targetRevision: main
      managed:
        url: https://github.com/kubara-io/platform.git
        targetRevision: main

Generated config.yaml for SSH:

argocd:
  repo:
    authMode: ssh
    git:
      customer:
        url: git@github.com:kubara-io/platform.git
        targetRevision: main
      managed:
        url: git@github.com:kubara-io/platform.git
        targetRevision: main

Generated config.yaml for GitHub App:

argocd:
  repo:
    authMode: github-app
    git:
      customer:
        url: https://github.com/kubara-io/platform.git
        targetRevision: main
      managed:
        url: https://github.com/kubara-io/platform.git
        targetRevision: main

🧩 Type of change

• 🔧 CLI / Go code
• 📦 Helm chart
• 🧱 Terraform module
• 📝 Documentation
• 🧪 Test or CI change
• ♻️ Refactor / cleanup

⚠️ Is this a breaking change?

• Yes, this change breaks existing functionality (explain in summary)

No manual migration is expected. Existing configs without a version field first go through the legacy migration, then v1alpha1 configs are migrated automatically to v1alpha2 when kubara loads and saves the config:

• argocd.repo.https moves to argocd.repo.git
• terraform.dns.name is removed because Terraform now derives dns_name from the cluster dnsName
• terraform.dns.email moves to terraform.dnsContactEmail

🧪 Testing

• CI passed
• Manually tested (local/dev cluster)
• Unit tested
• Not tested (explain why below)

Validated locally:

• cd src && make test
• make docs-build
• git diff --check
• generated example outputs for kubara init --prep and kubara init in https, ssh, and github-app modes

🔗 Related Issues / Tickets

Closes #246

✅ Checklist

• Code compiles and passes all tests
• Linting and style checks pass
• Comments added for complex logic
• Documentation updated (if applicable)

📎 Additional Context (optional)

This PR intentionally leaves the generated ExternalSecret helper for additional app repositories on the existing HTTPS/PAT path. SSH and GitHub App support for additional app repositories is planned as a follow-up so the bootstrap auth changes stay reviewable.

terraform.dnsContactEmail is kept because the Stackit DNS zone contact_email value cannot be derived from the cluster dnsName.

[tuunit]

as this is a change to the config, we should bump the config version and therefore check isV1Alpha1 and then reshpae

[tuunit]

lets take the opportunity while changing the config anyways to get rid of the unnecessary dns field in terraform and instead use the dnsName field from the cluster

[Matthiator]

Done in f710814:

• Added ConfigVersionV1Alpha2. Load() now checks isV1Alpha1 and runs an explicit migrateV1Alpha1ToV1Alpha2 instead of the shape detection. The argocd.repo.https -> argocd.repo.git move is now part of that versioned migration. Configs without a version field still go through the legacy migration first and are then migrated to v1alpha2 in the same load.
• Removed terraform.dns: dns_name is now rendered from the cluster dnsName. One thing the dns block also carried was the zone contact email (contact_email on stackit_dns_zone), which cannot be derived from dnsName - I moved it to terraform.dnsContactEmail and the migration relocates dns.email there automatically. Let me know if you'd rather have it somewhere else.