feat: gateway/private API access mode for Talos + Kubernetes endpoints

[gthieleb]

Summary

Please support a first-class private-cluster access mode where API traffic is exposed via a dedicated public TCP entrypoint (gateway/LB), instead of requiring direct control-plane public IP paths.

This is mainly for:

• Security: smaller attack surface and centralized CIDR-restricted ingress.
• Cost: avoid unnecessary per-node public IPv4 usage where possible.

Important: this is additive and should not change existing HA behavior.

Current limitation

Today, bootstrap and health paths still depend on control-plane public IPv4 in key places, which makes gateway/private-only access difficult to run natively.

Related issues

• Public IPv4 address allocation #413 Public IPv4 address allocation
• feat: VPN Support (Site to site) #419 VPN Support (Site to site)
• Highly-available control plane #348 Highly-available control plane

Related PRs

• feat: enable load balancer provisioning on control plane nodes when n… #258 merged (LB traffic behavior for control-plane-only setups)
• Feature/add ipv6 only support #252 draft (IPv6-only exploration)
• feat: Support Cilium Gateway API #281 open (Cilium Gateway API)

Proposal

• Add endpoint abstraction for bootstrap and ops (for example a bootstrap_endpoint_mode variable with public/private endpoint options).
• Allow Talos API endpoint hostname modes (not only per-node public/private IP lists).
• Align health checks with selected endpoint mode instead of hardcoded public control-plane IP.
• Optional support path to disable node public IPv4 where platform constraints allow it.

Acceptance criteria

• Bootstrap works without direct control-plane public-IP targeting when endpoint mode is gateway/private.
• kubeconfig and talosconfig generation support gateway/private endpoint workflows.
• Health checks work in gateway/private endpoint mode.
• Existing HA behavior remains unchanged and backward compatible.