fix: Reserve Tailscale service hostnames and tag exposed proxies

Reserve grafana/prometheus/flux alongside rancher during rebuild cleanup so
stale tailnet devices do not force -1 hostnames. Tag the exposed Tailscale
services so operator-managed proxies are provisioned with explicit prod/service
tags from the tailnet policy.

infrastructure/addons/rancher/rancher-tailscale-service.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: cattle-system
   annotations:
     tailscale.com/hostname: rancher
+    tailscale.com/tags: "tag:prod,tag:rancher"
     tailscale.com/proxy-class: infra-stable
 spec:
   type: LoadBalancer