test(e2e-mw-dev): port the kind k8s suite into the real-cluster harness; retire tests/k8s

[benben]

What

The kind-based tests/k8s/ suite tested the multi-tenant activation pipeline against a fake cluster — it could not exercise the layers where this quarter's bugs actually lived (real Cilium, Crossplane ducklings, cnpg-shard + external-RDS metadata, per-org Lakekeeper). The per-PR mw-dev harness (tests/e2e-mw-dev/, merged in #657) can. This PR ports every cluster test into the shell harness, implements the remaining harness TODOs, and removes the kind suite + its CI job.

harness.sh — ported coverage (runs kubectl in-cluster via the Job's SA token)

area	assertion	from
wire/query	SELECT 1 + 5 concurrent distinct connections	TestK8sBasicQuery, TestK8sMultipleConcurrentConnections
activation	DuckLake and Iceberg attach + R/W, on cnpg AND ext	DuckLake/Iceberg round-trip tests
ext forks	bundled ducklake/httpfs are the PostHog forks, not upstream	*IsBundledFork
worker pods	labels, securityContext (non-root/uid1000/no-priv-esc), Downward-API POD_NAME/NODE_NAME, no SA-token mount	TestK8sWorkerPodCreation, *SecurityContext, *StampedWithPodAndNode, *DoNotMountServiceAccountToken
resilience	worker-pod kill crash recovery; DuckLake durability across worker restart; concurrent writers (fork conflict-retry — the test flaking on main)	*WorkerCrashRecovery, *DurabilityAcrossWorkerRestart, *ConcurrentWriters
isolation	cnpg vs ext see distinct catalogs; cross-tenant read denied	*DifferentTenantsSeeDistinctCatalogs
lifecycle	deprovision → wait Duckling CR --for=delete → re-provision the same org id → R/W again	the stranded-cnpg-role regression net (#649/#650/#11518/#11522)

The lifecycle/recreate check is reliable now because it waits on the Crossplane Duckling CR's finalizer cascade (which drops the cnpg role+db) instead of racing on warehouse=deleted — the bug the old harness comment flagged as un-portable.

TODOs resolved

• durability / concurrency — implemented (table above).
• same-org recreate — implemented with the CR --for=delete wait.
• async-incomplete teardown — teardown + recreate are now CR-synchronous; drop_cnpg_role stays as an idempotent backstop.
• e2e-cleanup (was "janitor") — run.sh e2e-cleanup + a 6h schedule trigger in e2e-mw-dev.yml reap stale duckgres-ci-pr-* namespaces (+ ducklings, cnpg role+db, Pod Identity association, cross-ns bindings). Renamed away from "janitor" to avoid colliding with duckgres's own control-plane janitor.

tests/k8s removal

• Delete the kind Go suite + its testdata + CLAUDE.md. The cluster tests are ported; the remaining unit tests covered test-only kind-harness helpers (port-forward state machine, transient-DB/pod-gone detection, setup loader) that retire with the harness.
• The RBAC + network-policy static-manifest asserts (the only unit tests over real shipped k8s/ config) move to tests/manifests/ and run in the normal go test ./... lane.
• Remove the k8s-integration-tests job from ci.yml (and its iceberg OIDC/STS wiring — that path is now in the e2e harness).

Kept for now

The supporting k8s/ scripts/manifests + Dockerfile* stay (per request). The just test-k8s-integration recipe is now a dangling reference (its ./tests/k8s/... target is gone) — a later cleanup PR removes it.

Deliberately not ported (documented in README)

• Shared-warm-worker activation + version-mismatch reaper — per-PR CP runs DUCKGRES_K8S_SHARED_WARM_TARGET=0 (no idle warm workers); stay covered by controlplane/ unit tests.
• Physical object-store-prefix isolation — the Job holds no S3 list creds against real mw-dev S3; isolation asserted logically (cross-tenant read denied).
• Cilium egress allow/deny probing — needs a stable in-worker exec probe (high flake); the policies are asserted statically in tests/manifests/.

Validation

• go test ./tests/manifests/ ✅, gofmt clean, sh -n/bash -n on the scripts ✅ locally.
• Full e2e validated by this PR's e2e-mw-dev run against real mw-dev.