fix: make image pre-pull roles fully best effort

The pre-pull roles were still blocking the playbook because they retried until
success and exhausted their retry budget during registry TLS timeouts. Keep the
image pulls as opportunistic cache warmers, but never let them fail the
bootstrap; log any missed images instead.

ansible/roles/bootstrap-image-prepull/tasks/main.yml

@@ -2,9 +2,15 @@
 - name: Pre-pull bootstrap images into containerd
   command: /usr/local/bin/ctr -n k8s.io images pull {{ item }}
   register: bootstrap_image_pull
-  retries: 12
-  delay: 15
-  until: bootstrap_image_pull.rc == 0
   loop: "{{ bootstrap_prepull_images }}"
-  changed_when: true
+  changed_when: bootstrap_image_pull.rc == 0
   failed_when: false
+
+- name: Report bootstrap images that did not pre-pull
+  debug:
+    msg: >-
+      Bootstrap image pre-pull failed for {{ item.item }}: {{ item.stderr | default('no stderr') }}
+  loop: "{{ bootstrap_image_pull.results | default([]) }}"
+  loop_control:
+    label: "{{ item.item }}"
+  when: item.rc is defined and item.rc != 0

ansible/roles/rancher-image-prepull/tasks/main.yml

@@ -2,9 +2,15 @@
 - name: Pre-pull Rancher images into containerd
   command: /usr/local/bin/ctr -n k8s.io images pull {{ item }}
   register: rancher_image_pull
-  retries: 5
-  delay: 15
-  until: rancher_image_pull.rc == 0
   loop: "{{ rancher_images_to_prepull }}"
-  changed_when: true
+  changed_when: rancher_image_pull.rc == 0
   failed_when: false
+
+- name: Report Rancher images that did not pre-pull
+  debug:
+    msg: >-
+      Rancher image pre-pull failed for {{ item.item }}: {{ item.stderr | default('no stderr') }}
+  loop: "{{ rancher_image_pull.results | default([]) }}"
+  loop_control:
+    label: "{{ item.item }}"
+  when: item.rc is defined and item.rc != 0