fix(helm): correct secret name references and add migration env var

- Secret resource now named with -secrets suffix to match all template refs
- Add CREDENTIAL_ENCRYPTION_KEY to migration init container (VPN migration needs it)
- Fix postgres secretKeyRef to use -secrets suffix

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

infrastructure/helm/templates/api-deployment.yaml

@@ -56,6 +56,11 @@ spec:
                 configMapKeyRef:
                   name: {{ include "tod.fullname" . }}
                   key: SYNC_DATABASE_URL
+            - name: CREDENTIAL_ENCRYPTION_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "tod.fullname" . }}-secrets
+                  key: CREDENTIAL_ENCRYPTION_KEY
           securityContext:
             runAsUser: 1001
             runAsNonRoot: true

infrastructure/helm/templates/postgres-statefulset.yaml

@@ -72,14 +72,14 @@ spec:
             - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "tod.fullname" . }}
+                  name: {{ include "tod.fullname" . }}-secrets
                   key: DB_PASSWORD
             - name: APP_USER
               value: {{ .Values.postgres.auth.appUsername | quote }}
             - name: APP_USER_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "tod.fullname" . }}
+                  name: {{ include "tod.fullname" . }}-secrets
                   key: DB_APP_PASSWORD
           volumeMounts:
             - name: postgres-data

infrastructure/helm/templates/secrets.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "tod.fullname" . }}
+  name: {{ include "tod.fullname" . }}-secrets
   labels:
     {{- include "tod.labels" . | nindent 4 }}
 type: Opaque