[forgejo] Tolerate missing Vault keys during Phase 0 bootstrap

Wrap the three new Vault key reads in try(...) so the first apply
succeeds even when forgejo_pull_token / forgejo_cleanup_token /
secret/ci/global haven't been populated yet. Without this, CI
auto-apply blocks on the very push that introduces the references —
chicken-and-egg with the runbook order (which is: apply Forgejo bumps,
then create users + PATs, then apply the rest).

Empty tokens are intentionally visible-broken (auth fails, probe
reports auth failure, cleanup CronJob errors) — that's the signal
to run the bootstrap runbook. Subsequent apply picks up the real
values.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/kyverno/modules/kyverno/registry-credentials.tf

@@ -32,8 +32,11 @@ resource "kubernetes_secret" "registry_credentials" {
         # Forgejo OCI registry — read-only PAT for the cluster-puller service
         # account user. Pushes go through ci-pusher (separate PAT in Vault
         # secret/ci/global, surfaced to Woodpecker).
+        # try() lets the apply succeed before the Vault key is populated
+        # during Phase 0 bootstrap (see docs/runbooks/forgejo-registry-setup.md).
+        # The cluster has no consumers yet — broken creds are visible but harmless.
         "forgejo.viktorbarzin.me" = {
-          auth = base64encode("cluster-puller:${data.vault_kv_secret_v2.viktor.data["forgejo_pull_token"]}")
+          auth = base64encode("cluster-puller:${try(data.vault_kv_secret_v2.viktor.data["forgejo_pull_token"], "")}")
         }
       }
     })