add pod dependency management via Kyverno init container injection

Kyverno ClusterPolicy reads dependency.kyverno.io/wait-for annotation
and injects busybox init containers that block until each dependency
is reachable (nc -z). Annotations added to 18 stacks (24 deployments).

Includes graceful-db-maintenance.sh script for planned DB maintenance
(scales dependents to 0, saves replica counts, restores on startup).

stacks/nextcloud/chart_values.yaml

@@ -98,6 +98,7 @@ readinessProbe:
 podAnnotations:
   diun.enable: "true"
   diun.include_tags: "^[0-9]+(?:.[0-9]+)?(?:.[0-9]+)?.*"
+  dependency.kyverno.io/wait-for: "mysql.dbaas:3306,redis.redis:6379"
 
 collabora:
   enabled: false # Using onlyoffice instead