fix(core): 🐛 remove template vars from secrets-backup — use K8s secrets directly

The deploy workflow does not have BACKUP_ENCRYPTION_KEY/BACKUP_BUCKET/OBS_ENDPOINT
env vars. Redesigned to reference existing forgejo-cloud-credentials K8s secret
and hardcode OBS endpoint, matching the pattern of forgejo-s3-backup-cronjob.

Ref: IPCEICIS-9317

template/stacks/core/secrets-backup/manifests/secrets-backup-cronjob.yaml

@@ -36,7 +36,9 @@ metadata:
   namespace: gitea
 type: Opaque
 stringData:
-  encryption-passphrase: "{{{ .Env.BACKUP_ENCRYPTION_KEY }}}"
+  # IMPORTANT: Replace this placeholder with a strong passphrase per environment.
+  # This secret should be managed via external-secrets or manually set after initial deploy.
+  encryption-passphrase: "CHANGE-ME-SET-PER-ENVIRONMENT"
 ---
 apiVersion: batch/v1
 kind: CronJob
@@ -77,10 +79,13 @@ spec:
                     secretKeyRef:
                       name: secrets-backup-config
                       key: encryption-passphrase
-                - name: BACKUP_BUCKET
-                  value: "{{{ .Env.BACKUP_BUCKET }}}"
+                - name: SOURCE_BUCKET
+                  valueFrom:
+                    secretKeyRef:
+                      name: forgejo-cloud-credentials
+                      key: bucket-name
                 - name: OBS_ENDPOINT
-                  value: "{{{ .Env.OBS_ENDPOINT }}}"
+                  value: "obs.eu-de.otc.t-systems.com"
               command:
                 - /bin/sh
                 - -c
@@ -115,7 +120,7 @@ spec:
 
                   echo "=== Uploading to OBS ==="
                   aws s3 cp "${ENCRYPTED}" \
-                    "s3://${BACKUP_BUCKET}/secrets-backup/${TIMESTAMP}/secrets-backup.tar.gz.enc" \
+                    "s3://${SOURCE_BUCKET}/cluster-secrets-backup/${TIMESTAMP}/secrets-backup.tar.gz.enc" \
                     --endpoint-url "https://${OBS_ENDPOINT}"
 
                   echo "=== Cleanup ==="