Add railiance01 deployment artifacts and fix container image build

Introduce Dockerfile, entrypoint, and k8s/railiance manifests for the
ArgoCD GitOps pilot (ISSUE-WP-0003). Rename the Gitea PyPI build arg to
GITEA_PYPI_INDEX_URL so pip still resolves dependencies from PyPI.

k8s/railiance/configmap-backends.yaml

@@ -0,0 +1,24 @@
+# Non-secret backend structure for issue-core inside railiance01.
+# Default backend = cluster Gitea (markitect). The Gitea token is NOT here;
+# it is injected at startup from GITEA_BACKEND_TOKEN (ExternalSecret) where the
+# template carries the sentinel "__FROM_ENV__".
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: issue-core-backends
+  namespace: issue-core
+  labels:
+    app.kubernetes.io/name: issue-core
+    app.kubernetes.io/part-of: railiance-gitops
+data:
+  backends.json: |
+    {
+      "markitect": {
+        "type": "gitea",
+        "base_url": "http://gitea-http.default.svc.cluster.local:3000",
+        "owner": "coulomb",
+        "repo": "markitect_project",
+        "token": "__FROM_ENV__"
+      },
+      "default": "markitect"
+    }

k8s/railiance/deployment.yaml

@@ -0,0 +1,71 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: issue-core
+  namespace: issue-core
+  labels:
+    app.kubernetes.io/name: issue-core
+    app.kubernetes.io/part-of: railiance-gitops
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"  # after the ExternalSecret (wave 0)
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: issue-core
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: issue-core
+        app.kubernetes.io/part-of: railiance-gitops
+    spec:
+      # Image is public-pullable from the Gitea registry (per railiance-forge
+      # docs). Add imagePullSecrets: [{name: gitea-registry}] if it becomes private.
+      containers:
+        - name: issue-core
+          image: gitea.coulomb.social/coulomb/issue-core:0.2.0
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8765
+          env:
+            - name: ISSUE_CORE_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: issue-core-runtime
+                  key: ISSUE_CORE_API_KEY
+            - name: GITEA_BACKEND_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: issue-core-runtime
+                  key: GITEA_BACKEND_TOKEN
+            - name: BACKENDS_TEMPLATE
+              valueFrom:
+                configMapKeyRef:
+                  name: issue-core-backends
+                  key: backends.json
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 20
+          resources:
+            requests:
+              cpu: 50m
+              memory: 128Mi
+            limits:
+              cpu: 500m
+              memory: 256Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            runAsNonRoot: true
+            capabilities:
+              drop: ["ALL"]

k8s/railiance/externalsecret.yaml

@@ -0,0 +1,37 @@
+# Runtime secrets for issue-core, materialized from OpenBao by External Secrets
+# Operator (cluster default per railiance-platform docs/argocd-gitops.md).
+#
+# DEPENDENCY: External Secrets Operator is not yet installed on railiance01 and
+# the OpenBao path below must be provisioned by railiance-platform. Until then
+# this resource will not reconcile and the Deployment stays Pending the Secret.
+#
+# OpenBao path: platform/workloads/issue-core/issue-core/issue-core-runtime
+#   properties: ISSUE_CORE_API_KEY, GITEA_BACKEND_TOKEN
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: issue-core-runtime
+  namespace: issue-core
+  labels:
+    app.kubernetes.io/name: issue-core
+    app.kubernetes.io/part-of: railiance-gitops
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"  # before the Deployment (wave 1)
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    # Provisioned by railiance-platform during ESO install; name TBC on bootstrap.
+    name: openbao
+    kind: ClusterSecretStore
+  target:
+    name: issue-core-runtime
+    creationPolicy: Owner
+  data:
+    - secretKey: ISSUE_CORE_API_KEY
+      remoteRef:
+        key: platform/workloads/issue-core/issue-core/issue-core-runtime
+        property: ISSUE_CORE_API_KEY
+    - secretKey: GITEA_BACKEND_TOKEN
+      remoteRef:
+        key: platform/workloads/issue-core/issue-core/issue-core-runtime
+        property: GITEA_BACKEND_TOKEN

k8s/railiance/kustomization.yaml

@@ -0,0 +1,12 @@
+# issue-core workload manifests, synced by the ArgoCD `issue-core` Application
+# (path k8s/railiance, destination namespace issue-core, CreateNamespace=true).
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: issue-core
+
+resources:
+  - externalsecret.yaml
+  - configmap-backends.yaml
+  - deployment.yaml
+  - service.yaml

k8s/railiance/service.yaml

@@ -0,0 +1,19 @@
+# ClusterIP exposing issue-core on 8765 as
+# issue-core.issue-core.svc.cluster.local:8765 — the address activity-core's
+# ISSUE_CORE_URL points at once its k8s runtime port is corrected (8010 -> 8765).
+apiVersion: v1
+kind: Service
+metadata:
+  name: issue-core
+  namespace: issue-core
+  labels:
+    app.kubernetes.io/name: issue-core
+    app.kubernetes.io/part-of: railiance-gitops
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: issue-core
+  ports:
+    - name: http
+      port: 8765
+      targetPort: http