ci: add Docker Hub auth + proxy CA to inttest namespace, fix MinIO pull secret

infra/inttest/minio.yaml

@@ -25,6 +25,8 @@ spec:
         tier: infra
     spec:
       automountServiceAccountToken: false
+      imagePullSecrets:
+        - name: dockerhub-credentials
       securityContext:
         runAsNonRoot: true
         runAsUser: 1000
@@ -116,6 +118,8 @@ spec:
         app: minio-bucket-init
         tier: infra
     spec:
+      imagePullSecrets:
+        - name: dockerhub-credentials
       automountServiceAccountToken: false
       securityContext:
         runAsNonRoot: true

infra/inttest/run_pipeline.sh

@@ -224,6 +224,25 @@ else
   log "GHCR_TOKEN not set — skipping image pull secret (images must be pullable without auth)"
 fi
 
+# ── Create Docker Hub pull secret (avoid rate limits) ────────────────────────
+if [ -n "${DOCKERHUB_USER:-}" ] && [ -n "${DOCKERHUB_TOKEN:-}" ]; then
+  log "Creating dockerhub-credentials secret ..."
+  kubectl create secret docker-registry dockerhub-credentials \
+    --docker-server=https://index.docker.io/v1/ \
+    --docker-username="$DOCKERHUB_USER" \
+    --docker-password="$DOCKERHUB_TOKEN" \
+    -n "$NAMESPACE" || true
+else
+  log "DOCKERHUB_USER/TOKEN not set — skipping Docker Hub pull secret"
+fi
+
+# ── Create proxy CA cert ConfigMap (for Squid SSL bump) ─────────────────────
+CA_CERT_URL="http://192.168.42.1/home.crt"
+if curl -sf "$CA_CERT_URL" -o /tmp/home.crt 2>/dev/null; then
+  kubectl create configmap proxy-ca-cert --from-file=ca.crt=/tmp/home.crt -n "$NAMESPACE" 2>/dev/null || true
+  log "proxy-ca-cert ConfigMap created"
+fi
+
 # ══════════════════════════════════════════════════════════════════════════════
 # Stage: Deploy infra (postgres, redis, minio)
 # ══════════════════════════════════════════════════════════════════════════════