🔒 fix(ansible): gate vault auth disable behind vault_oidc_force_reset (default off)

The vault auth disable task added in 437fd506 wipes all gitea_cicd_* per-app JWT roles every ansible run (side effect). Gate it behind a default-off flag so normal re-runs preserve those roles. Opt in with --extra-vars vault_oidc_force_reset=true when intentionally rebuilding the OIDC backend (e.g. bound_issuer config drift).

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>

argocd/values.yaml

@@ -14,11 +14,6 @@ gitea_applications:
     annotations:
       argocd-image-updater.argoproj.io/image-list: webapp=gitea.arcodange.lab/arcodange-org/webapp:latest
       argocd-image-updater.argoproj.io/webapp.update-strategy: digest
-  telegram-gateway:
-    org: arcodange
-    annotations:
-      argocd-image-updater.argoproj.io/image-list: telegram-gateway=gitea.arcodange.lab/arcodange/telegram-gateway:latest
-      argocd-image-updater.argoproj.io/telegram-gateway.update-strategy: digest
   erp:
     annotations: {}
   cms: