feat: add ArgoCD bootstrap with ApplicationSet pattern

- Add root ApplicationSet using Git Directory Generator
- Configure AppProjects for infrastructure and apps separation
- Add cert-manager with Let's Encrypt ClusterIssuers (staging/prod)
- Add SOPS configuration for age-encrypted secrets
- Add bootstrap documentation (docs/BOOTSTRAP.md)
- Scaffold infrastructure dirs (networking, storage, monitoring)
- Update README with quick start and architecture

GitOps pattern: directories auto-discovered by ArgoCD ApplicationSets
Reference: CNCF App-of-Apps best practices 2025

infrastructure/cert-manager/clusterissuers.yaml

@@ -0,0 +1,54 @@
+# infrastructure/cert-manager/clusterissuers.yaml
+# Let's Encrypt ClusterIssuers for TLS certificates
+# Usage: Add annotation to Ingress:
+#   cert-manager.io/cluster-issuer: letsencrypt-prod
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # Staging endpoint for testing (higher rate limits, fake certs)
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: admin@example.com  # TODO: Update with your email
+    privateKeySecretRef:
+      name: letsencrypt-staging-account-key
+    solvers:
+      # HTTP-01 challenge via Ingress
+      - http01:
+          ingress:
+            ingressClassName: istio
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # Production endpoint (rate limited, real certs)
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: admin@example.com  # TODO: Update with your email
+    privateKeySecretRef:
+      name: letsencrypt-prod-account-key
+    solvers:
+      # HTTP-01 challenge via Ingress
+      - http01:
+          ingress:
+            ingressClassName: istio
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}
+---
+# Internal CA for service-to-service mTLS
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: internal-ca
+spec:
+  ca:
+    secretName: internal-ca-key-pair

infrastructure/cert-manager/kustomization.yaml

@@ -0,0 +1,48 @@
+# infrastructure/cert-manager/kustomization.yaml
+# Cert-Manager with Let's Encrypt ClusterIssuers
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: cert-manager
+
+resources:
+  - namespace.yaml
+  - clusterissuers.yaml
+
+helmCharts:
+  - name: cert-manager
+    repo: https://charts.jetstack.io
+    version: v1.14.4
+    releaseName: cert-manager
+    namespace: cert-manager
+    valuesInline:
+      installCRDs: true
+      replicaCount: 1
+      # Pod Security Standards compliance
+      podSecurityPolicy:
+        enabled: false
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      containerSecurityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
+        readOnlyRootFilesystem: true
+      webhook:
+        securityContext:
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+      cainjector:
+        securityContext:
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+      # Prometheus ServiceMonitor
+      prometheus:
+        enabled: true
+        servicemonitor:
+          enabled: true

infrastructure/cert-manager/namespace.yaml

@@ -0,0 +1,11 @@
+# infrastructure/cert-manager/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+  labels:
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/component: certificate-management
+    # Pod Security Standards
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/warn: restricted

infrastructure/monitoring/kustomization.yaml

@@ -0,0 +1,13 @@
+# infrastructure/monitoring/kustomization.yaml
+# Monitoring: Prometheus, Grafana, Alertmanager
+# TODO: Add kube-prometheus-stack helm chart
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: monitoring
+
+resources: []
+# Future additions via helmCharts:
+# - kube-prometheus-stack
+# - loki
+# - grafana dashboards

infrastructure/networking/kustomization.yaml

@@ -0,0 +1,12 @@
+# infrastructure/networking/kustomization.yaml
+# Networking stack: Istio ingress, DNS, Network Policies
+# TODO: Add Istio Gateway, VirtualService templates
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: istio-system
+
+resources: []
+# Future additions:
+# - gateway.yaml
+# - default-network-policies.yaml

infrastructure/storage/kustomization.yaml

@@ -0,0 +1,10 @@
+# infrastructure/storage/kustomization.yaml
+# Storage: NFS provisioner, PVC templates
+# TODO: Add NFS StorageClass pointing to TrueNAS
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources: []
+# Future additions:
+# - nfs-storageclass.yaml
+# - default-pvc-templates.yaml