[Kubernetes operator] add admission controller

[mlsmaycon]

An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to the persistence of the resource but after the request is authenticated and authorized. This is particularly interesting when you want a certain action to be performed on your deployment or pods but want to keep your definition clean.

From the NetBird user and administrator perspective, using an admission controller pattern will allow individuals to define when to add a NetBird side-car container to their workloads with minimal template configuration. This way, they will be able to expose Kubernetes pods to remote users and systems.

Task:

Create a controller that will listen to deployments, pods, and daemon-set creation, and if they have a defined annotation, it will inject a NetBird sidecar into the resource. The controller will need a CRD to configure setup keys using secrets and optional custom management URLs, which, if missing, will default to https://api.netbird.io/.

In this first iteration, we won't need an API client, and the expectation is that the administrator will configure the CRDs on NetBird's management dashboard. We might add a CRD field to cover the expiration date of the key and issue log events to warn administrators when the time is near.

As part of this development, we need to add a helm chart with pre-defined RBAC and Service accounts and CI/CD workflows for testing.