feat: HTTP→HTTPS 自动跳转

- 新增 redirect-https-middleware.yaml（Traefik Middleware）
- Ingress 加 traefik.ingress.kubernetes.io/router.middlewares annotation
- CI 流水线在 Ingress 之前 apply middleware

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/deploy.yaml

@@ -112,6 +112,7 @@ jobs:
                 --dry-run=client -o yaml | kubectl apply -f -
 
               kubectl apply -f k8s/cert-manager-issuer.yaml
+              kubectl apply -f k8s/redirect-https-middleware.yaml
               kubectl apply -f k8s/backend-deployment.yaml
               kubectl apply -f k8s/backend-ingress.yaml
               kubectl apply -f k8s/web-deployment.yaml

k8s/backend-ingress.yaml

@@ -5,6 +5,7 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: "traefik"
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    traefik.ingress.kubernetes.io/router.middlewares: "default-redirect-https@kubernetescrd"
 spec:
   tls:
   - hosts:

k8s/redirect-https-middleware.yaml

@@ -0,0 +1,8 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-https
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true

k8s/web-ingress.yaml

@@ -5,6 +5,7 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: "traefik"
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    traefik.ingress.kubernetes.io/router.middlewares: "default-redirect-https@kubernetescrd"
 spec:
   tls:
   - hosts: