feat(s3): add cnpg Gitea database cluster + Makefile targets

- helm/gitea-db-cluster.yaml: cnpg Cluster for Gitea (1 instance, 10Gi, pg16)
  bootstraps gitea DB from gitea-db-credentials secret in databases namespace
- helm/gitea-db-secret.sops.yaml.template: credential secret template (encrypt before use)
- Makefile: add db-deploy, db-status, db-shell, db-logs targets; mark pg-deploy legacy
- .gitignore: allow *-cluster.yaml (k8s manifests with no secrets)

Cluster applied to live cluster. RAIL-HO-WP-0004-T03.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Makefile

@@ -9,7 +9,22 @@ NAMESPACE   := platform
 PG_CHART_VERSION  ?= 16.2.2
 VALKEY_CHART_VERSION ?= 2.x
 
-##@ PostgreSQL HA
+##@ CloudNative PG (cnpg) — primary database operator
+
+db-deploy: ## Apply Gitea cnpg Cluster (creates gitea-db in databases namespace)
+	$(KUBECTL) apply -f helm/gitea-db-cluster.yaml
+
+db-status: ## Show cnpg cluster health
+	$(KUBECTL) cnpg status gitea-db -n databases 2>/dev/null || \
+	  $(KUBECTL) get cluster gitea-db -n databases -o wide
+
+db-shell: ## Open psql shell on gitea-db primary
+	$(KUBECTL) cnpg psql gitea-db -n databases -- -U gitea gitea
+
+db-logs: ## Tail gitea-db primary logs
+	$(KUBECTL) logs -n databases -l cnpg.io/cluster=gitea-db -f --tail=50
+
+##@ PostgreSQL HA (legacy — superseded by cnpg above)
 
 pg-deploy: ## Deploy / upgrade standalone PostgreSQL HA to platform namespace
 	$(KUBECTL) create namespace $(NAMESPACE) --dry-run=client -o yaml | $(KUBECTL) apply -f -
@@ -57,4 +72,4 @@ help: ## Show this help
 	  /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-22s\033[0m %s\n", $$1, $$2 } \
 	  /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST)
 
-.PHONY: pg-deploy pg-status pg-pgpool-check valkey-deploy valkey-status backup help
+.PHONY: db-deploy db-status db-shell db-logs pg-deploy pg-status pg-pgpool-check valkey-deploy valkey-status backup help