public ALB for aws + AMP unification + private endpoint output

[benny-n]

Note

Medium Risk
Touches networking/ingress and cloud IAM/AMP wiring across AWS/Azure/GCP, which can affect cluster reachability and metrics auth if misconfigured, but changes are mostly additive and feature-gated.

Overview
Adds an optional internet-facing AWS ALB (HTTP1 + HTTP2 ingresses) alongside the existing private NLB/PrivateLink path, gated by public_access_enabled, and creates a Route53 alias for ingress.{fqdn} to the public ALB.

Unifies cross-cloud AMP configuration to always provision AmpAccess for Azure/GCP and switches the workload trust to the AmpCpgwIamManagerUser IAM user; cluster stacks now export private connectivity identifiers when public access is disabled (vpc_endpoint_service_name, psc_service_attachment, private_link_service_name/resource group).

Refactors Pinetools to expose created K8s resources (ns, sa, crb) for dependency ordering, updates uninstallers to depend on these, and changes AWS S3 bucket versioning to use the dedicated BucketVersioning resource. The setup wizard bumps the default Pinecone version and improves GCP preflight by requiring gke-gcloud-auth-plugin.

^{Written by Cursor Bugbot for commit d3d34a4. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}