add pod dependency management via Kyverno init container injection

Kyverno ClusterPolicy reads dependency.kyverno.io/wait-for annotation
and injects busybox init containers that block until each dependency
is reachable (nc -z). Annotations added to 18 stacks (24 deployments).

Includes graceful-db-maintenance.sh script for planned DB maintenance
(scales dependents to 0, saves replica counts, restores on startup).

stacks/hackmd/main.tf

@@ -57,6 +57,9 @@ resource "kubernetes_deployment" "hackmd" {
           app                             = "hackmd"
           "kubernetes.io/cluster-service" = "true"
         }
+        annotations = {
+          "dependency.kyverno.io/wait-for" = "mysql.dbaas:3306"
+        }
       }
       spec {
         # container {