Roll out header based Rack::Attack bypass

Steps:

1. Independently:
   • Complete #624 (closed) and confirm it is deployed,
   • Add haproxy configuration (change to the haproxy cookbook) to set the selected header for trusted IPs, and verify the header is being passed as expected.
2. Under a Change issue (particularly necessary to describe how to monitor the rollout, and to have prepared responses to various eventualities). In particular:
   • Add the environment variable defining the header to both VM deployments (to omnibus configuration, via chef) and Kubernetes (in k8s-workloads). This will start safe-listing trusted IPs for access to protected paths and the allow2ban configuration in the auth rate-limiter, which are currently potentially rate-limited, so it cannot be turned on outside a change issue.