Add vergabe role + vergabe_db database for RAILIANCE-WP-0002 T04

First consumer of the shared apps-pg cluster: managed role vergabe in apps-pg-cluster.yaml plus Database CR vergabe-db in new helm/apps-pg-databases.yaml. .gitignore whitelists helm/*-databases.yaml. Workplan implementation notes from codex folded in. Live: Database CR applied=true, psql from vergabe-teilnahme ns returns PostgreSQL 16.13.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

helm/apps-pg-cluster.yaml

@@ -34,8 +34,18 @@ spec:
       owner: apps_admin
       secret:
         name: apps-pg-credentials
+  # Per-app PostgreSQL roles are added here (CNPG 1.28 role lifecycle is
+  # cluster-scoped — no standalone Role CR). The credential Secret for
+  # each role lives in the databases namespace and is mirrored into the
+  # consumer namespace by the consuming repo. See docs/apps-pg.md.
+  managed:
+    roles:
+      - name: vergabe                    # RAILIANCE-WP-0002 T04 (vergabe-teilnahme)
+        ensure: present
+        login: true
+        passwordSecret:
+          name: vergabe-app-credentials
   # HA replica + connection pooler are deferred (RAILIANCE-WP-0003 Notes):
-  # managed:
   #   services:
   #     additional:
   #       - selectorType: rw

helm/apps-pg-databases.yaml

@@ -0,0 +1,21 @@
+---
+# Per-consumer CNPG Database CRs against apps-pg.
+# Each entry is a database in the shared cluster, owned by a per-app
+# role declared in helm/apps-pg-cluster.yaml under spec.managed.roles.
+# See docs/apps-pg.md for the onboarding contract.
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: vergabe-db                       # RAILIANCE-WP-0002 T04
+  namespace: databases
+  labels:
+    app.kubernetes.io/name: apps-pg
+    app.kubernetes.io/component: database-instance
+    railiance.io/layer: s3-platform
+    railiance.io/consumer: vergabe-teilnahme
+spec:
+  cluster:
+    name: apps-pg
+  name: vergabe_db
+  owner: vergabe
+  ensure: present