gongme: k8s Manifeste fuer initialen Cluster-Deploy

Namespace, StorageClass (Longhorn), Postgres, API, Web,
OAuth2-Proxy (Zitadel OIDC) und Traefik-Ingress fuer
https://gongme.expertfab.de.

Images: git.expertfab.de/expertfab/ef-gongme-{api,web}:latest
Auth: Zitadel hinter OAuth2-Proxy v7.7.1
TLS: cert-manager letsencrypt-ClusterIssuer

secret-oauth2.yaml enthaelt Platzhalter — CLIENT_ID/SECRET
muessen nach Zitadel-App-Anlage eingetragen werden.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

k8s/gongme/secret.yaml

@@ -0,0 +1,32 @@
+---
+# Application Secret — wird von api-Pod und web-Pod per envFrom geladen.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gongme-env
+  namespace: gongme
+type: Opaque
+stringData:
+  # --- Postgres ---
+  DATABASE_URL: "postgresql://gongme:gongme-prod-pw-change-me@gongme-postgres:5432/gongme?schema=public"
+
+  # --- NestJS ---
+  NODE_ENV: "production"
+  PORT: "3001"
+  JWT_SECRET: "change-me-random-32-chars-minimum"
+  PUBLIC_BASE_URL: "https://gongme.expertfab.de"
+
+  # --- SMTP (bestehendes Relay) ---
+  SMTP_HOST: "smtprelay.expertfab.de"
+  SMTP_PORT: "587"
+  SMTP_USER: "it-admin@expertfab.de"
+  SMTP_PASS: "Relay22$$"
+  SMTP_FROM: "gongme@expertfab.de"
+
+  # --- Web Push (VAPID) ---
+  VAPID_PUBLIC_KEY: "BMFgG85di4U9X-YtbvGxvuwpIS2nNjZCyPzfwMewYs9N38NTQvvDixCHzj2JGe-rCW4jyaO2ZW0DgggB5lH8NI8"
+  VAPID_PRIVATE_KEY: "LNd_q9vqUbH5RQUf_tgO_hJWbI3--zuaNaGyjUqfTy8"
+  VAPID_SUBJECT: "mailto:it-admin@expertfab.de"
+
+  # --- Next.js (web-Pod) ---
+  API_INTERNAL_URL: "http://gongme-api:3001"