ci1: expose WinRM/RDP/SSH ports on masquerade interface for Phase 2 bootstrap

The Phase 1 VM has been Running for 9 days but Phase 2 (Puppet bootstrap +
runner registration) was deferred because the operator-interactive
virtctl-vnc path was the only way in. The masquerade interface listed
no exposed ports, so virtctl ssh and kubectl port-forward both hit
'no route to host' — qemu user-mode NAT does not forward inbound by
default.

Adding 5985 (WinRM HTTP) lets a kubectl port-forward + PowerShell
remoting path drive runner registration entirely from outside the VM.
3389 + 22 are reserved for desktop access via Guacamole or virtctl ssh
once OpenSSH Server is installed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/kubevirt-vms/ci1.yaml

@@ -77,9 +77,23 @@ spec:
           interfaces:
             # Pod-network fallback for CI runner outbound traffic. Switch to
             # prod-vlan57 once the bridge/NAD lane is ready for L2 access.
+            #
+            # Ports exposed for runner bootstrap (Phase 2 access): WinRM HTTP
+            # (5985) for PowerShell remoting from kubectl port-forward, RDP
+            # (3389) for full desktop via virtctl/Guacamole, SSH (22) for
+            # OpenSSH-Server-based future automation. Outbound CI runner
+            # traffic does not need any of these — they exist so the operator
+            # can install + register the GitHub Actions runner inside the VM.
             - name: default
               masquerade: {}
               model: virtio
+              ports:
+                - name: winrm-http
+                  port: 5985
+                - name: rdp
+                  port: 3389
+                - name: ssh
+                  port: 22
         machine:
           type: q35
       networks: