feat(ring0): migrate middlewares to FluxCD Operator with OCI releases

[mgrzybek]

Summary

• Add ring0/flux/ with all Flux manifests (HelmRelease, HelmRepository, Kustomization) for the 3 layers: core infrastructure, platform, BMaaS
• Add .github/workflows/release.yml to publish ring0 Flux manifests as an OCI artifact on ghcr.io/mgrzybek/micro-cloud on each vX.Y.Z tag
• Add ring0/scripts/deploy-flux.sh to bootstrap the FluxCD Operator, create the required Secrets/ConfigMap, and apply the FluxInstance
• Simplify deploy-idp.sh, deploy-cmdb.sh, deploy-bmaas.sh to only handle the post-Flux imperative steps (Tailscale API gateways, HookOS, registry population, clusterctl init)
• Add preconditions to task intermediate-fullchain for all required env vars and Tailscale connectivity
• Add docs/cluster-config-example.yaml as a reference ConfigMap template

Bootstrap sequence

task intermediate-fullchain   # PKI + OpenBao
task bootstrap                # matchbox / kea
task management               # Talos + Kubernetes
task flux                     # FluxCD Operator + FluxInstance → GitOps takes over
task idp                      # Tailscale API gateway for Authentik
task cmdb                     # Tailscale API gateway for Netbox
task bmaas                    # HookOS build, registry population, clusterctl init

Test plan

• flux get all -A: all objects are ready
• helm list -A: the releases use the same versions than HelmReleases
• Pushing a new tag v0.x.y: the GitHub Actions workflow publishes the OCI  as artifact
• Recreate the FluxInstance: the cluster converges automatically