feat(s3): add cnpg Gitea database cluster + Makefile targets

- helm/gitea-db-cluster.yaml: cnpg Cluster for Gitea (1 instance, 10Gi, pg16)
  bootstraps gitea DB from gitea-db-credentials secret in databases namespace
- helm/gitea-db-secret.sops.yaml.template: credential secret template (encrypt before use)
- Makefile: add db-deploy, db-status, db-shell, db-logs targets; mark pg-deploy legacy
- .gitignore: allow *-cluster.yaml (k8s manifests with no secrets)

Cluster applied to live cluster. RAIL-HO-WP-0004-T03.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitignore

@@ -2,6 +2,8 @@
 helm/*.yaml
 !helm/*.sops.yaml
 !helm/*.yaml.template
+# Kubernetes manifests (no secrets) are safe to commit
+!helm/*-cluster.yaml
 
 # Kubeconfig
 *.kubeconfig

Makefile

@@ -9,7 +9,22 @@ NAMESPACE   := platform
 PG_CHART_VERSION  ?= 16.2.2
 VALKEY_CHART_VERSION ?= 2.x
 
-##@ PostgreSQL HA
+##@ CloudNative PG (cnpg) — primary database operator
+
+db-deploy: ## Apply Gitea cnpg Cluster (creates gitea-db in databases namespace)
+	$(KUBECTL) apply -f helm/gitea-db-cluster.yaml
+
+db-status: ## Show cnpg cluster health
+	$(KUBECTL) cnpg status gitea-db -n databases 2>/dev/null || \
+	  $(KUBECTL) get cluster gitea-db -n databases -o wide
+
+db-shell: ## Open psql shell on gitea-db primary
+	$(KUBECTL) cnpg psql gitea-db -n databases -- -U gitea gitea
+
+db-logs: ## Tail gitea-db primary logs
+	$(KUBECTL) logs -n databases -l cnpg.io/cluster=gitea-db -f --tail=50
+
+##@ PostgreSQL HA (legacy — superseded by cnpg above)
 
 pg-deploy: ## Deploy / upgrade standalone PostgreSQL HA to platform namespace
 	$(KUBECTL) create namespace $(NAMESPACE) --dry-run=client -o yaml | $(KUBECTL) apply -f -
@@ -57,4 +72,4 @@ help: ## Show this help
 	  /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-22s\033[0m %s\n", $$1, $$2 } \
 	  /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST)
 
-.PHONY: pg-deploy pg-status pg-pgpool-check valkey-deploy valkey-status backup help
+.PHONY: db-deploy db-status db-shell db-logs pg-deploy pg-status pg-pgpool-check valkey-deploy valkey-status backup help

helm/gitea-db-cluster.yaml

@@ -0,0 +1,44 @@
+---
+# cnpg Cluster for Gitea database
+# Managed by railiance-platform (S3). Operator lives in cnpg-system namespace.
+#
+# Apply: kubectl apply -f helm/gitea-db-cluster.yaml
+# Status: kubectl cnpg status gitea-db -n databases
+#
+# Pre-condition: gitea-db-credentials Secret must exist in databases namespace.
+# Create it (one-time, do NOT commit plaintext):
+#   kubectl create secret generic gitea-db-credentials \
+#     --namespace databases \
+#     --from-literal=username=gitea \
+#     --from-literal=password=<password>
+# Then encrypt with SOPS and commit helm/gitea-db-secret.sops.yaml.
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: gitea-db
+  namespace: databases
+  labels:
+    app.kubernetes.io/name: gitea-db
+    app.kubernetes.io/component: database
+    app.kubernetes.io/managed-by: manual
+    railiance.io/layer: s3-platform
+spec:
+  instances: 1   # bump to 3 when node RAM > 8GB
+  postgresql:
+    version: "16"
+  storage:
+    size: 10Gi
+  bootstrap:
+    initdb:
+      database: gitea
+      owner: gitea
+      secret:
+        name: gitea-db-credentials
+  # Connection pooler can be added later:
+  # managed:
+  #   services:
+  #     additional:
+  #       - selectorType: rw
+  #         serviceTemplate:
+  #           metadata:
+  #             name: gitea-db-pooler-rw

helm/gitea-db-secret.sops.yaml.template

@@ -0,0 +1,14 @@
+# Template for the gitea-db-credentials Secret.
+# DO NOT commit this file with real credentials.
+# Encrypt with: sops -e -i helm/gitea-db-secret.sops.yaml
+# Apply with:   kubectl apply -f <(sops -d helm/gitea-db-secret.sops.yaml)
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-db-credentials
+  namespace: databases
+type: kubernetes.io/basic-auth
+stringData:
+  username: gitea
+  password: REPLACE_WITH_PASSWORD  # encrypt with SOPS before committing