refactor: deduplicate constants, fix secret key mismatch, add VSS pruning

- New src/constants.rs: single source for MANAGED_NS (includes monitoring)
  and GITEA_ADMIN_USER, imported by all modules that previously had copies
- Fix checks.rs reading wrong key names from gitea-admin-credentials secret
- Add VaultStaticSecret pruning in pre_apply_cleanup (H1)
- Fix cert_manager_present check (was always true after canonicalize)
- Add warnings for silent failures in pre_apply_cleanup
- Fix os_api dead variable assignment
- Set TLS private key permissions to 0600
- Redact Gitea admin password in print_urls

src/services.rs

@@ -5,22 +5,10 @@ use k8s_openapi::api::core::v1::Pod;
 use kube::api::{Api, DynamicObject, ListParams, LogParams};
 use kube::ResourceExt;
 use std::collections::BTreeMap;
+use crate::constants::MANAGED_NS;
 use crate::kube::{get_client, kube_rollout_restart, parse_target};
 use crate::output::{ok, step, warn};
 
-/// Namespaces managed by sunbeam.
-pub const MANAGED_NS: &[&str] = &[
-    "data",
-    "devtools",
-    "ingress",
-    "lasuite",
-    "matrix",
-    "media",
-    "ory",
-    "storage",
-    "vault-secrets-operator",
-];
-
 /// Services that can be rollout-restarted, as (namespace, deployment) pairs.
 pub const SERVICES_TO_RESTART: &[(&str, &str)] = &[
     ("ory", "hydra"),
@@ -462,8 +450,9 @@ mod tests {
         assert!(MANAGED_NS.contains(&"matrix"));
         assert!(MANAGED_NS.contains(&"media"));
         assert!(MANAGED_NS.contains(&"storage"));
+        assert!(MANAGED_NS.contains(&"monitoring"));
         assert!(MANAGED_NS.contains(&"vault-secrets-operator"));
-        assert_eq!(MANAGED_NS.len(), 9);
+        assert_eq!(MANAGED_NS.len(), 10);
     }
 
     #[test]