refactor: retire imperative addon roles

README.md

@@ -197,7 +197,7 @@ Terraform/bootstrap secrets remain in Gitea Actions secrets and are not managed
 - `clusters/prod/`: cluster entrypoint and Flux reconciliation objects
 - `clusters/prod/flux-system/`: `GitRepository` source and top-level `Kustomization` graph
 - `infrastructure/`: infrastructure addon reconciliation graph
-- `infrastructure/addons/*`: per-addon manifests (observability + observability-content migrated)
+- `infrastructure/addons/*`: per-addon manifests for Flux-managed cluster addons
 - `apps/`: application workload layer (currently scaffolded)
 
 ### Reconciliation graph
@@ -215,7 +215,7 @@ Terraform/bootstrap secrets remain in Gitea Actions secrets and are not managed
 1. Install Flux controllers in `flux-system`.
 2. Create the Flux deploy key/secret named `flux-system` in `flux-system` namespace.
 3. Apply `clusters/prod/flux-system/` once to establish source + reconciliation graph.
-4. Unsuspend addon `Kustomization` objects one-by-one as each addon is migrated from Ansible.
+4. Bootstrap-only Ansible creates prerequisite secrets; Flux manages addon lifecycle after bootstrap.
 
 ### Current migration status
 
@@ -319,9 +319,7 @@ It avoids full cluster provisioning and only applies Grafana content resources:
 │   │   ├── common/
 │   │   ├── k3s-server/
 │   │   ├── k3s-agent/
-│   │   ├── ccm/
-│   │   ├── csi/
-│   │   ├── tailscale-operator/
+│   │   ├── addon-secrets-bootstrap/
 │   │   ├── observability-content/
 │   │   └── observability/
 │   └── ansible.cfg