fix(ascoachingogvaner): reconcile static tenant (tag 1.1.0, drop CNPG patch)

[devantler]

🛑 Prod breakage — ascoachingogvaner tenant reconciliation is failing

The static-site conversion (ascoachingogvaner#9, released v1.1.0) and the SOPS removal (#1582) merged into platform v1.2.0 without the coordinating tenant changes, leaving a broken state on main:

1. SOPS ciphertext (active now): the tenant OCIRepository is still pinned at app 1.0.1, which ships the SOPS-encrypted admin-code-secret.enc.yaml. chore(ascoachingogvaner): drop dead SOPS decryption (app has no secrets) #1582 removed the Kustomization's decryption: sops, so Flux applies the encrypted Secret raw → reconcile fails. Image-automation hadn't advanced the tag (10+ min after v1.1.0 publish).
2. CNPG patch mismatch (latent): the hetzner overlay patches Cluster/ascoaching-db, which the static v1.1.0 no longer ships → patching a non-existent target fails the kustomize build, so even after the tag advances the tenant would stay broken.

Fix

File	Change
k8s/bases/apps/ascoachingogvaner/sync.yaml	Bump OCIRepository tag 1.0.1 → 1.1.0 (static manifest artifact; tag verified published in GHCR). 1.1.0 has no *.enc.yaml, so the already-removed SOPS decryption is correct.
…/providers/hetzner/apps/ascoachingogvaner/patches/kustomization-patch.yaml	Drop the Cluster/ascoaching-db storageClass patch (keep the HTTPRoute hostname patch).
k8s/bases/apps/ascoachingogvaner/networkpolicy.yaml	Remove dead DB rules (cnpg-system 8000/5432, postgres-exporter 9187, intra-ns + kube-apiserver egress); keep gateway ingress :3000 + DNS egress.

Validation / caveats

• ksail --config ksail.prod.yaml workload validate → 261 files validated.
• The CNPG-patch fix is a Flux runtime behavior (spec.patches is data in the Kustomization CR), so static build can't exercise it — correctness is by inspection. The tenant is prod-only, so CI's system test doesn't cover it either.
• The tag bump matches what image-automation would commit (semver >=1.0.0 → 1.1.0); doing it here closes the SOPS window deterministically since automation hadn't.

Recommend fast-tracking (promote/merge) to clear the prod failure. After merge + reconcile, the tenant serves the static v1.1.0 site with no secrets and no DB. If you have cluster access, worth confirming the ascoachingogvaner Kustomization goes Ready.

🤖 Generated with Claude Code

[Copilot]

Pull request overview

This PR coordinates the ascoachingogvaner platform manifests with the upstream static-site release so the tenant can reconcile without SOPS or CNPG resources.

Changes:

• Bumps the tenant OCI artifact from 1.0.1 to 1.1.0.
• Removes the obsolete Hetzner CNPG Cluster/ascoaching-db patch.
• Narrows the tenant network policy to gateway ingress and DNS egress only.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
k8s/bases/apps/ascoachingogvaner/sync.yaml	Pins the tenant OCIRepository to the static 1.1.0 artifact.
k8s/providers/hetzner/apps/ascoachingogvaner/patches/kustomization-patch.yaml	Drops the no-longer-valid CNPG storageClass patch while retaining the HTTPRoute hostname patch.
k8s/bases/apps/ascoachingogvaner/networkpolicy.yaml	Removes DB, CNPG, monitoring, intra-namespace, and kube-apiserver network allowances.

[devantler]

Closing as superseded — #1584 ("cut over to static v1.1.0, drop dead CNPG db config") merged to main at 22:48 UTC and applies the identical remediation across the same three files: tenant OCIRepository tag bumped to 1.1.0, the Cluster/ascoaching-db patch removed from the hetzner overlay, and the dead DB network-policy rules dropped. main now reconciles the tenant as the static v1.1.0 site with no secrets and no DB. This PR was opened in parallel before #1584 landed and is now redundant (and conflicting).

🤖 Generated with Claude Code