CI: write buildkitd.toml in-container instead of a ConfigMap

The previous approach created a verso-buildkitd-config ConfigMap, but the
workflow's RBAC does not permit creating new cluster resources. Write the
buildkitd.toml (marking the in-cluster registry as http/insecure) directly
inside the buildkit container at runtime via printf, and drop the configMap
volume/mount. No new k8s resources are created.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.gitea/workflows/deploy-verso.yml

@@ -19,21 +19,6 @@ jobs:
         run: |
           kubectl -n ci delete job verso-buildkit --ignore-not-found=true --wait=true
 
-          # buildkitd config: mark the in-cluster registry as http (insecure)
-          # so the second build can resolve/pull the base image we just pushed.
-          cat <<'EOF' | kubectl apply -f -
-          apiVersion: v1
-          kind: ConfigMap
-          metadata:
-            name: verso-buildkitd-config
-            namespace: ci
-          data:
-            buildkitd.toml: |
-              [registry."registry.git.svc.cluster.local:5000"]
-                http = true
-                insecure = true
-          EOF
-
           cat <<'EOF' | kubectl apply -f -
           apiVersion: batch/v1
           kind: Job
@@ -71,10 +56,15 @@ jobs:
                         # the Traefik ingress, whose read timeout was killing the
                         # multi-GB TeX Live layer upload mid-stream. The base
                         # image is pulled back in for the second build, so the
-                        # registry must be marked insecure for both push and pull
-                        # (buildkitd.toml handles the pull/resolve side).
+                        # registry must be marked insecure for both push and pull.
+                        # Write buildkitd.toml inside the container (no extra
+                        # k8s resources needed) so the second build's pull/resolve
+                        # treats the registry as http.
                         REG=registry.git.svc.cluster.local:5000
 
+                        mkdir -p /etc/buildkit
+                        printf '[registry."%s"]\n  http = true\n  insecure = true\n' "$REG" > /etc/buildkit/buildkitd.toml
+
                         buildctl-daemonless.sh build \
                           --frontend=dockerfile.v0 \
                           --local context=/workspace/repo \
@@ -92,15 +82,10 @@ jobs:
                     volumeMounts:
                       - name: workspace
                         mountPath: /workspace
-                      - name: buildkitd-config
-                        mountPath: /etc/buildkit
 
                 volumes:
                   - name: workspace
                     emptyDir: {}
-                  - name: buildkitd-config
-                    configMap:
-                      name: verso-buildkitd-config
           EOF
 
       - name: Wait for build