feat(caddy): use cert-manager for TLS certificates

- Add Certificate CRDs for vhaudiquet.fr, wildcard, and buildpath.win
- Keep semery.fr certs in certificates-secret.yaml (manual until OVH API)
- Update Caddyfile to use new TLS certificate paths (tls.crt/tls.key)
- Update values.yaml to mount cert-manager secrets for Cloudflare domains
- Mount semery.fr certs from caddy-certificates secret with item mappings

Certificates for Cloudflare domains will be auto-renewed by cert-manager.

kubernetes/system/caddy/caddyfile.yaml

@@ -16,12 +16,12 @@ metadata:
 data:
   Caddyfile: |
     vhaudiquet.fr {
-      tls /etc/caddy/certs/vhaudiquet-fr.crt /etc/caddy/certs/vhaudiquet-fr.key
+      tls /etc/caddy/certs/vhaudiquet-fr/tls.crt /etc/caddy/certs/vhaudiquet-fr/tls.key
       reverse_proxy 10.1.2.171:80
     }
 
     *.vhaudiquet.fr {
-        tls /etc/caddy/certs/wildcard-vhaudiquet-fr.crt /etc/caddy/certs/wildcard-vhaudiquet-fr.key
+        tls /etc/caddy/certs/wildcard-vhaudiquet-fr/tls.crt /etc/caddy/certs/wildcard-vhaudiquet-fr/tls.key
 
         # Kubernetes services (via Traefik)
         @authentik   host authentik.vhaudiquet.fr
@@ -83,11 +83,11 @@ data:
     }
 
     semery.fr {
-      tls /etc/caddy/certs/semery-fr.crt /etc/caddy/certs/semery-fr.key
+      tls /etc/caddy/certs/semery-fr/tls.crt /etc/caddy/certs/semery-fr/tls.key
       reverse_proxy 10.1.2.212:80
     }
 
     buildpath.win {
-      tls /etc/caddy/certs/buildpath-win.crt /etc/caddy/certs/buildpath-win.key
+      tls /etc/caddy/certs/buildpath-win/tls.crt /etc/caddy/certs/buildpath-win/tls.key
       reverse_proxy 10.1.2.212:80
     }