feat(eso): chart 0.6.0 - ESO subchart + ClusterSecretStore + gitea-archive-pull ExternalSecret

Phase 1 of Item #9 (Tower-stamped Secrets → ESO + OpenBao migration).
Replaces Tower's imperative kubectl-stamp of gitea-archive-pull with
a declarative ExternalSecret synced from OpenBao at v3/platform/gitea-
archive-pull. Other 4 Tower-stamped Secrets (cloudflare, s3-backup,
longhorn-s3, docker-mirror-pull) remain on legacy path.

Tower must pass externalSecrets.openbao.mountPath as a per-cluster
helm parameter (kubernetes-<server-name>) for ESO to activate; chart
guards against unset mountPath via {{ if }} in both new templates.

values.yaml

@@ -255,3 +255,27 @@ longhorn:
   persistence:
     defaultClass: false
     defaultClassReplicaCount: 1
+
+# externalSecrets — pilot delivery path for platform-scope Secrets
+# previously kubectl-stamped by Tower. 2026-05-07 Phase 1 scope:
+# `gitea-archive-pull` only. The other 4 Tower-stamped Secrets stay
+# on the legacy path until a dedicated sprint (Item #9, v3 open
+# queue).
+#
+# .openbao.mountPath is per-cluster — Tower passes this as a helm
+# parameter so each tenant cluster's ESO authenticates against its
+# own OpenBao auth mount (`auth/kubernetes-<cluster>`). Empty default
+# means "off"; new clusters with no Tower wiring stay legacy.
+externalSecrets:
+  enabled: true
+  openbao:
+    server: "https://vault.odoosky.org"
+    mountPath: ""    # Tower fills this per-cluster, e.g. "kubernetes-customer1"
+    role: "eso"
+
+# external-secrets — values passed THROUGH to the upstream subchart
+# (Chart.yaml dependency name = "external-secrets"). CRDs install on
+# first apply. Resource limits conservative — ESO is event-driven
+# and idle most of the time.
+external-secrets:
+  installCRDs: true