infra(helm): wire remaining in-chart services to CNPG *-pg-app Secrets (T13)

[Copilot]

The previous audit flagged T13 as PARTIAL: the umbrella chart infra/k8s/helm/open-foundry only projected DATABASE_URL from a CNPG <bc>-pg-app Secret on 2 of its services, leaving others with a migrations/ dir and a matching infra/k8s/cnpg/clusters/<bc>-pg.yaml manifest unwired.

Re-checking the chart's services: map narrows the real gap to 3 entries (the rest are either already wired, stateless, or not enrolled in this umbrella).

Changes

• infra/k8s/helm/open-foundry/values.yaml — add the standard envSecrets.DATABASE_URL projection to:
  • sql-bi-gateway-service → sql-bi-gateway-pg-app
  • report-service → report-pg-app
  • nexus-service → nexus-pg-app

Each block follows the convention already used by the identity-federation-service / data-asset-catalog-service pilots and documented in infra/k8s/cnpg/clusters/README.md + ADR-0010 (CNPG auto-populates the uri key on <cluster>-app, so no DSN is committed):

envSecrets:
  DATABASE_URL:
    secretName: nexus-pg-app
    key: uri

Out of scope

The other ~58 services that own a migrations/ directory are not present in this umbrella's services: map (they are not deployed by this chart today). Their per-bounded-context CNPG Cluster and <bc>-pg-app Secret already exist under infra/k8s/cnpg/clusters/, ready to be projected via the same pattern when each service is enrolled in the chart.