feat(eso): chart 0.7.0 — migrate all 4 remaining Tower-stamped Secrets to ExternalSecret

Phase 2 of Item #9. Adds ExternalSecret manifests for:
  - docker-mirror-pull (×2 namespaces, dockerconfigjson template)
  - cloudflare-api-token-<slug> (per-tenant, gated on tenant.id+slug)
  - s3-backup-creds (per-tenant, in tenants ns)
  - longhorn-s3-creds (per-tenant, gated on tenant.s3Endpoint)

New helm values: tenant.id, tenant.slug, tenant.s3Endpoint. Tower must
pass these per-cluster (next ship). All manifests gated on
externalSecrets.enabled + mountPath set + tenant.id set, so old apps
without the new params remain on the legacy Tower-stamped path until
the operator opts them in.

templates/cloudflare-api-token-externalsecret.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.externalSecrets.enabled }}
+{{- if .Values.externalSecrets.openbao.mountPath }}
+{{- if and .Values.tenant.id .Values.tenant.slug }}
+# cloudflare-api-token-<slug> — per-tenant CF token used by cert-manager's
+# DNS-01 solver. Pulled from OpenBao path v3/tenants/<id>/cloudflare-token,
+# field api_token, exposed as Secret key "api-token" (matches what the
+# ClusterIssuer references via secretKeyRef.key in cluster-issuer.yaml).
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-api-token-{{ .Values.tenant.slug }}
+  namespace: odoosky-system
+  labels:
+    app.kubernetes.io/managed-by: cluster-platform-v3
+    odoosky.io/tenant: {{ .Values.tenant.id | quote }}
+spec:
+  refreshInterval: "1h"
+  secretStoreRef:
+    name: openbao-platform
+    kind: ClusterSecretStore
+  target:
+    name: cloudflare-api-token-{{ .Values.tenant.slug }}
+    creationPolicy: Owner
+    deletionPolicy: Retain
+  data:
+    - secretKey: api-token
+      remoteRef:
+        key: tenants/{{ .Values.tenant.id }}/cloudflare-token
+        property: api_token
+{{- end }}
+{{- end }}
+{{- end }}