cleanup: Remove obsolete port-forwarding, deferred Traefik files, and CI workaround

- Remove ansible/roles/private-access/ (replaced by Tailscale LB services)
- Remove deferred observability ingress/traefik files (replaced by direct Tailscale LBs)
- Remove orphaned kustomization-traefik-config.yaml (no backing directory)
- Simplify CI: remove SA patch + job deletion workaround for rancher-backup
  (now handled by postRenderer in HelmRelease)
- Update AGENTS.md to reflect current architecture

infrastructure/addons/kustomization-traefik-config.yaml

@@ -1,18 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: addon-traefik-config
-  namespace: flux-system
-spec:
-  interval: 10m
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: platform
-  path: ./infrastructure/addons/traefik-config
-  wait: true
-  timeout: 5m
-  suspend: false
-  dependsOn:
-    - name: addon-tailscale-operator
-    - name: addon-tailscale-proxyclass

infrastructure/addons/observability/grafana-ingress.yaml

@@ -1,17 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: grafana
-  namespace: observability
-spec:
-  ingressClassName: traefik
-  rules:
-    - http:
-        paths:
-          - path: /grafana
-            pathType: Prefix
-            backend:
-              service:
-                name: observability-kube-prometheus-stack-grafana
-                port:
-                  number: 80

infrastructure/addons/observability/prometheus-ingress.yaml

@@ -1,17 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: prometheus
-  namespace: observability
-spec:
-  ingressClassName: traefik
-  rules:
-    - http:
-        paths:
-          - path: /prometheus
-            pathType: Prefix
-            backend:
-              service:
-                name: observability-kube-prometh-prometheus
-                port:
-                  number: 9090

infrastructure/addons/observability/traefik-tailscale-service.yaml

@@ -1,27 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: traefik-tailscale
-  namespace: kube-system
-  annotations:
-    tailscale.com/hostname: observability
-    tailscale.com/proxy-class: infra-stable
-spec:
-  type: LoadBalancer
-  loadBalancerClass: tailscale
-  selector:
-    app.kubernetes.io/instance: traefik-kube-system
-    app.kubernetes.io/name: traefik
-  ports:
-    - name: web
-      port: 80
-      protocol: TCP
-      targetPort: web
-    - name: websecure
-      port: 443
-      protocol: TCP
-      targetPort: websecure
-    - name: flux
-      port: 9001
-      protocol: TCP
-      targetPort: 9001