traefik: x402-gateway image forgejo -> ghcr + KEEL_IGNORE_IMAGE (ADR-0002 infra#28)

Formalizing x402-gateway CI (was a manual no-CI image). The deployment
lives in the traefik module; its image was NOT in ignore_changes, so a
set-image deploy would be reverted on the next traefik apply — added it
(KEEL_IGNORE_IMAGE). Base repointed to ghcr:latest; the GHA deploy
set-images the :sha8. Public ghcr package = no pull secret. Inert on the
live pod (image now ignored); rolling cutover keeps forwardAuth up.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

stacks/traefik/modules/traefik/main.tf

@@ -572,7 +572,7 @@ resource "kubernetes_deployment" "x402_gateway" {
         }
         container {
           name  = "x402-gateway"
-          image = "forgejo.viktorbarzin.me/viktor/x402-gateway:d9b83125"
+          image = "ghcr.io/viktorbarzin/x402-gateway:latest"
           port {
             name           = "http"
             container_port = 8923
@@ -664,6 +664,9 @@ resource "kubernetes_deployment" "x402_gateway" {
     # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
     ignore_changes = [
       spec[0].template[0].spec[0].dns_config,
+      # KEEL_IGNORE_IMAGE: the GHA->ghcr build (ADR-0002 infra#28) set-images
+      # the running :sha8 tag; don't let terragrunt revert it to :latest.
+      spec[0].template[0].spec[0].container[0].image,
       # KEEL_LIFECYCLE_V1: keel.sh annotations + tier label are stamped on the
       # live object (keel enrollment / resource-governance) — don't strip them.
       metadata[0].annotations["keel.sh/policy"],