fix(chart): template Postgres owner role in update_ownership.sql for multi-env

The Dolibarr before-start step `chart/scripts/update_ownership.sql` (embedded
into a ConfigMap by `chart/templates/scripts-config.yaml`) hardcoded the
Postgres owner role `erp_role`. It reassigns ownership of all public-schema
objects to that role after install. For any non-prod environment the owner
role differs — by the multi-env elision rule (ADR-0002/0003) it is snake-case
`<app>_role` for prod and `<app>_<env>_role` for non-prod, so the sandbox owner
role is `erp_sandbox_role`. With the literal `erp_role`, installing Dolibarr in
`erp-sandbox` would reassign sandbox tables to prod's `erp_role`, which (a)
breaks the sandbox runtime (its dynamic DB creds are a member of
`erp_sandbox_role`, not `erp_role`) and (b) breaks the ADR-0003 reset
(`DROP OWNED BY erp_sandbox_role`).

Fix: make the owner role env-aware via a new chart value `db.ownerRole`.
- values.yaml: default `ownerRole: erp_role` (prod).
- values-sandbox.yaml: override `ownerRole: erp_sandbox_role`.
- update_ownership.sql: all `'erp_role'` literals → `'{{ .Values.db.ownerRole }}'`.
- scripts-config.yaml: render that one SQL file through `tpl` so the value is
  substituted (the other script has no template vars and stays on `.Files.Get`).
  The SQL's `$$`, `%I`, `format(...)`, `RAISE NOTICE` are not Go-template syntax,
  so `tpl` only substitutes the added `{{ .Values.db.ownerRole }}`.

Verified: the prod ConfigMap render (values.yaml only) is byte-identical to
origin/main (empty diff, still `erp_role`); the sandbox render
(-f values.yaml -f values-sandbox.yaml) now contains `erp_sandbox_role` and no
bare `erp_role`; `helm lint` passes (no worse than origin/main).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

chart/scripts/update_ownership.sql

@@ -10,12 +10,12 @@ BEGIN
     WHERE schemaname = 'public'
     LIMIT 1;
 
-    -- Si le propriétaire actuel est différent de erp_role
+    -- Si le propriétaire actuel est différent de {{ .Values.db.ownerRole }}
-    IF current_schema_owner <> 'erp_role' THEN
+    IF current_schema_owner <> '{{ .Values.db.ownerRole }}' THEN
         -- Construire et exécuter la requête REASSIGN OWNED BY
-        EXECUTE format('REASSIGN OWNED BY %I TO %I', current_schema_owner, 'erp_role');
+        EXECUTE format('REASSIGN OWNED BY %I TO %I', current_schema_owner, '{{ .Values.db.ownerRole }}');
-        RAISE NOTICE 'Ownership of all objects in schema "public" has been reassigned from % to %', current_schema_owner, 'erp_role';
+        RAISE NOTICE 'Ownership of all objects in schema "public" has been reassigned from % to %', current_schema_owner, '{{ .Values.db.ownerRole }}';
     ELSE
-        RAISE NOTICE 'No change needed; the owner of schema "public" is already %', 'erp_role';
+        RAISE NOTICE 'No change needed; the owner of schema "public" is already %', '{{ .Values.db.ownerRole }}';
     END IF;
 END $$;

chart/templates/scripts-config.yaml

@@ -7,4 +7,4 @@ data:
     {{- .Files.Get "scripts/update_conf_db_credentials.sh" | nindent 4 }}
   
   update_table_ownership.sql: |
-    {{- .Files.Get "scripts/update_ownership.sql" | nindent 4 }}
+    {{- tpl (.Files.Get "scripts/update_ownership.sql") . | nindent 4 }}

chart/values-sandbox.yaml

@@ -16,6 +16,7 @@ host:     erp-sandbox.arcodange.lab
 
 db:
   name: erp-sandbox
+  ownerRole: erp_sandbox_role
 
 vault:
   k8sRole:     erp-sandbox

chart/values.yaml

@@ -16,6 +16,7 @@ host:     erp.arcodange.lab            # internal hostname for this instance
 
 db:
   name: erp                            # PostgreSQL database name (matches factory tfvars)
+  ownerRole: erp_role                  # Postgres owner role; snake-case <app>_role for prod / <app>_<env>_role for non-prod (matches factory/postgres/iac)
 
 vault:
   k8sRole:     erp                     # VaultAuth role (postgres/iac issues this per instance)