deploy: catch-all toleration so DS schedules on not-ready nodes

Replaces the explicit toleration list with `operator: Exists`. The previous
list lacked node.kubernetes.io/not-ready:NoSchedule, so during a fresh
control-plane join the CNI agent couldn't schedule until the node became
Ready — but the node can't become Ready without the CNI. Surfaced during
host001/host002 PERC migration rebuild.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

deploy/install.yaml

@@ -182,19 +182,10 @@ spec:
       nodeSelector:
         flock.fritzlab.net/agent: ""
       tolerations:
-        - key: fritzlab.net/cni-test
-          operator: Equal
-          value: "true"
-          effect: NoSchedule
-        - key: node-role.kubernetes.io/control-plane
-          operator: Exists
-          effect: NoSchedule
-        - key: node.kubernetes.io/not-ready
-          operator: Exists
-          effect: NoExecute
-        - key: node.kubernetes.io/unreachable
-          operator: Exists
-          effect: NoExecute
+        # CNI must schedule on a fresh node before it becomes Ready —
+        # the node has not-ready:NoSchedule until flock installs the CNI conflist.
+        # Catch-all tolerates all taints so the agent always runs.
+        - operator: Exists
       initContainers:
         - name: install-cni
           image: code.fritzlab.net/fritzlab/flock:latest