fix: allow Kyverno egress to Gitea external for registry token exchange

After changing Gitea ROOT_URL to https://git.georgepet.duckdns.org,
the registry V2 auth challenge redirects to the external URL.
Kyverno needs to reach 185.47.204.231:443 for token exchange.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/infra-network-policies/kyverno.yaml

@@ -59,6 +59,13 @@ spec:
       ports:
         - port: 3000
           protocol: TCP
+    # Gitea external (registry token exchange via ROOT_URL)
+    - to:
+        - ipBlock:
+            cidr: 185.47.204.231/32
+      ports:
+        - port: 443
+          protocol: TCP
 ---
 # Background controller: K8s API + registry
 apiVersion: networking.k8s.io/v1
@@ -84,6 +91,13 @@ spec:
       ports:
         - port: 3000
           protocol: TCP
+    # Gitea external (registry token exchange via ROOT_URL)
+    - to:
+        - ipBlock:
+            cidr: 185.47.204.231/32
+      ports:
+        - port: 443
+          protocol: TCP
 ---
 # Cleanup controller: K8s API only
 apiVersion: networking.k8s.io/v1