sec(data): persist postgres-customers admin lockdown into Deployment manifest + drill log

[mastermanas805]

Follow-up to PR #61 (merged 78cb6677), which closed the truehomie public-admin DROP vector and was applied to prod 2026-06-06.

PR #61 was applied imperatively (kubectl patch). This PR makes the durable repo manifest (k8s/data/postgres-customers.yaml) match the live state so a future kubectl apply of that file does not silently revert the lockdown.

Changes

• postgres-customers.yaml: mount the postgres-customers-hba ConfigMap at /etc/postgresql/pg_hba.conf (subPath); start postgres with -c hba_file=... -c password_encryption=scram-sha-256; strategy RollingUpdate → Recreate (the RWO PVC deadlocks a rolling update on a Multi-Attach error — hit + fixed during apply).
• Runbook §9 Drill Log: records the apply (merge SHA, verification evidence, operator follow-ups).

Apply verification (live, do-nyc3-instant-prod)

• External admin REJECTED at pg_hba: instanode_admin (the confirmed vector) + instant_cust. Baseline beforehand reached scram (password authentication failed) — i.e. the vector was OPEN; now pg_hba.conf rejects connection ... before any password.
• In-cluster admin preserved: provisioner instant_cust CREATE/DROP smoke OK; api/worker instanode_admin connect + pg_database_size OK.
• Customer usr_* path preserved: still reaches scram.

Operator follow-ups (also in runbook §9)

• Ship the durable pg-proxy role-gate (PG_PROXY_DENIED_ROLES, staged in InstaNode-dev/instant-pg-proxy) so closure no longer depends on the churning proxy-pod-IP reject lines.
• On any instant-pg-proxy reschedule, refresh the <proxy-ip>/32 reject lines in postgres-customers-lockdown.yaml + reload.
• apply.yml includes networkpolicy.yaml, which is not enforced today and would default-deny the proxy path if applied — add to the apply EXCLUDE list or add the pg-proxy ingress rule first.

🤖 Generated with Claude Code