fix: auto-fetch cloud public CIDRs without cloud sync permissions

[RomanMelnyk113]

Previously, cloud service IP ranges (used for network flow classification) were only fetched when --cloud-provider-vpc-sync-enabled=true, which requires full cloud credentials for VPC API calls. However, the IP range fetch itself only hits public unauthenticated endpoints. This meant clusters without cloud credentials got no cloud CIDR data at all, leaving CloudCidr empty in GetClusterInfo responses and breaking downstream traffic classification.

Now, setting --cloud-provider=aws (or gcp) is sufficient - cloud public CIDRs are fetched independently, and full VPC sync remains opt-in for richer subnet/zone data.

Summary

• Extract cloud service IP range fetching (AWS/GCP) into standalone serviceranges package - these are unauthenticated HTTP GETs to public endpoints (ip-ranges.amazonaws.com, gstatic.com/ipranges/cloud.json)
• Add CloudPublicCIDRController that runs automatically when --cloud-provider is set, with no extra cloud credentials needed
• Add third-tier lookup in NetworkIndex: static > cloud-sync > cloud-public (lowest priority)