feat(apps): add forte-drop-secrets sealed secret

Sealed forte-drop-secrets with the real UpCloud Managed Object Storage
creds (existing drops bucket), PG creds matching the deployed
forte-drop-pg-creds, and PASSWORD_GATE_SECRET. Consumed by both web +
mcp deployments (envSecretName) and the pg-backup CronJob (S3 creds).

apps/base/forte-drop/kustomization.yaml

@@ -4,5 +4,5 @@ resources:
 - forte-drop.yaml
 - keycloak-client-forte-drop.yaml
 - forte-drop-pdb.yaml
-# - forte-drop-secrets-sealed.yaml          # added in follow-up commit
+- forte-drop-secrets-sealed.yaml
 # - auth-oidc-sealed.yaml                   # added in follow-up commit (after Keycloak registrar creates client_secret)