Summary

Adds a runtime spec.recoveryTarget field that takes effect on a
post-bootstrap CNPG cluster, allowing operators to apply
recovery_target_time (or _lsn / _xid / _name) to an
already-running standby and have it pause at exactly that point —
without re-bootstrapping the cluster.

Closes #10634

Motivation

See the linked issue for full motivation. TL;DR: today no in-cluster
option exists for applying a recovery target to a running standby.
spec.replica.minApplyDelay doesn't bound apply at promotion;
bootstrap.recovery.recoveryTarget requires re-bootstrap;
ALTER SYSTEM SET recovery_target_time is blocked by CNPG hardening
of postgresql.auto.conf.

Design

• New spec.recoveryTarget (reuses existing RecoveryTarget struct)
  and spec.recoveryTargetAction (defaults to pause).
• Operator renders recovery_target_* GUCs into custom.conf (which
  CNPG already owns and writes freely), gated on IsReplica().
• cnpg.config_sha256 changes → Postgres reload marks
  pg_settings.pending_restart=true (these GUCs are PGC_POSTMASTER).
• Existing isInstanceNeedingRollout machinery handles the controlled
  in-place restart.
• After promotion (replica.enabled=false), IsReplica() returns
  false and the GUCs are dropped from the rendered config — no
  leftover state on the new primary.

End-to-end validation

Tested on a live cluster:

Deferred (happy to add in follow-ups)

• Webhook validation (one-of mutual exclusion on
  targetTime/targetLSN/etc.).
• Populate status.recoveryTargetStatus from instance manager probes.
• E2E test under tests/e2e/.

Checklist

• feat: Conventional Commits title
• DCO Signed-off-by: on every commit
• make generate + make manifests regenerated artifacts
• go build ./..., go vet, existing unit tests pass
• Webhook validation (follow-up)
• Status reporting (follow-up)
• E2E test (follow-up)

Open to feedback on field placement and API shape before adding the
follow-ups.