feat(helm): add secrets and configmap templates

Single Secret with all sensitive values (JWT, encryption keys, DB
passwords, SMTP credentials, poller DB URL). Single ConfigMap with
all non-sensitive config including URL helpers and optional value guards.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

infrastructure/helm/templates/secrets.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "tod.fullname" . }}
+  labels:
+    {{- include "tod.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  JWT_SECRET_KEY: {{ .Values.secrets.jwtSecretKey | quote }}
+  CREDENTIAL_ENCRYPTION_KEY: {{ .Values.secrets.credentialEncryptionKey | quote }}
+  OPENBAO_TOKEN: {{ .Values.secrets.openbaoToken | quote }}
+  BAO_UNSEAL_KEY: {{ .Values.secrets.baoUnsealKey | quote }}
+  FIRST_ADMIN_EMAIL: {{ .Values.secrets.firstAdminEmail | quote }}
+  FIRST_ADMIN_PASSWORD: {{ .Values.secrets.firstAdminPassword | quote }}
+  DB_PASSWORD: {{ .Values.secrets.dbPassword | quote }}
+  DB_APP_PASSWORD: {{ .Values.secrets.dbAppPassword | quote }}
+  DB_POLLER_PASSWORD: {{ .Values.secrets.dbPollerPassword | quote }}
+  POLLER_DATABASE_URL: {{ include "tod.pollerDatabaseUrl" . | quote }}
+  SMTP_USER: {{ .Values.secrets.smtpUser | quote }}
+  SMTP_PASSWORD: {{ .Values.secrets.smtpPassword | quote }}