fix: pre-pull Rancher images and reset Rancher release during bootstrap

Rancher installs were stalling on transient Docker Hub TLS handshake timeouts
for rancher shell, webhook, and system-upgrade-controller images. Pre-pull the
required images onto all nodes after k3s comes up, extend the Rancher HelmRelease
timeout, and reset/force the Rancher HelmRelease before waiting on addon-rancher
so bootstrap can recover from stale failed remediation state.

ansible/roles/rancher-image-prepull/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+rancher_images_to_prepull:
+  - docker.io/rancher/rancher:v2.13.3
+  - docker.io/rancher/rancher-webhook:v0.9.3
+  - docker.io/rancher/system-upgrade-controller:v0.17.0
+  - docker.io/rancher/shell:v0.6.2

ansible/roles/rancher-image-prepull/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Pre-pull Rancher images into containerd
+  command: /usr/local/bin/ctr -n k8s.io images pull {{ item }}
+  register: rancher_image_pull
+  retries: 5
+  delay: 15
+  until: rancher_image_pull.rc == 0
+  loop: "{{ rancher_images_to_prepull }}"
+  changed_when: true

ansible/site.yml

@@ -93,6 +93,13 @@
   roles:
     - k3s-agent
 
+- name: Pre-pull Rancher bootstrap images
+  hosts: cluster
+  become: true
+
+  roles:
+    - rancher-image-prepull
+
 - name: Deploy observability stack
   hosts: control_plane[0]
   become: true