fix: pre-pull core bootstrap images on cp1 before Flux bootstrap

Fresh clusters were repeatedly timing out while kubelet pulled the pause image,
k3s packaged component images, and Flux controller images onto the first
control plane. Pre-pull the core control-plane bootstrap images into
containerd on cp-1 so Flux and packaged addons start from a warm cache instead
of racing registry TLS timeouts.

ansible/roles/bootstrap-image-prepull/defaults/main.yml

@@ -0,0 +1,12 @@
+---
+bootstrap_prepull_images:
+  - docker.io/rancher/mirrored-pause:3.6
+  - docker.io/rancher/mirrored-coredns-coredns:1.14.2
+  - docker.io/rancher/mirrored-metrics-server:v0.8.1
+  - docker.io/rancher/local-path-provisioner:v0.0.35
+  - docker.io/rancher/mirrored-library-traefik:3.6.10
+  - docker.io/rancher/klipper-helm:v0.9.14-build20260309
+  - ghcr.io/fluxcd/source-controller:v1.8.0
+  - ghcr.io/fluxcd/kustomize-controller:v1.8.1
+  - ghcr.io/fluxcd/helm-controller:v1.5.1
+  - ghcr.io/fluxcd/notification-controller:v1.8.1

ansible/roles/bootstrap-image-prepull/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Pre-pull bootstrap images into containerd
+  command: /usr/local/bin/ctr -n k8s.io images pull {{ item }}
+  register: bootstrap_image_pull
+  retries: 12
+  delay: 15
+  until: bootstrap_image_pull.rc == 0
+  loop: "{{ bootstrap_prepull_images }}"
+  changed_when: true
+  failed_when: false

ansible/site.yml

@@ -102,6 +102,13 @@
   roles:
     - k3s-agent
 
+- name: Pre-pull bootstrap control-plane images
+  hosts: control_plane[0]
+  become: true
+
+  roles:
+    - bootstrap-image-prepull
+
 - name: Pre-pull Rancher bootstrap images
   hosts: cluster
   become: true