Summary

• Add clusters/prod/ infra apps (waves 0-3): cert-manager, ingress-nginx, external-secrets, vault (w/ backup cronjob), registry-secrets, nfs-provisioner, greenroom-storage, core-storage
• Add shared prod files: versions.yaml, registry.yaml, registry-ovh.yaml, registry-ebrains.yaml
• Expand CI matrix from [dev] to [dev, prod] for helm-lint and sync-versions-check
• Update README for multi-env usage (<env> placeholders, both gopass paths, docker-registry vault command)

Prod-specific changes vs dev

• ingress-nginx: proxy-real-ip-cidr 10.0.1.0/24 (prod private network)
• vault: no node affinity override (prod has 4 nodes, default anti-affinity works)
• nfs-provisioner: NFS server 10.0.1.163
• registry-secrets: arc-runners removed from namespace list (no runners in prod)
• versions.yaml: portal tag suffix -hdc-ovh-prod

Post-merge manual steps

1. Vault init/unseal on prod cluster
2. Configure K8s auth + ESO role (same as dev, documented in README)
3. vault kv put secret/docker-registry/ovh username=... password=... (dedicated prod robot account)

Test plan

• make ENV=prod test — all checks pass
• make ENV=dev test — unchanged, all checks pass
• grep -r 'dev.hdc\|clusters/dev' clusters/prod/ — zero matches