[GEP-36] Implement SelfHostedShootExposure controller using STACKIT NLB

[jamand]

How to categorize this PR?

/kind enhancement

What this PR does / why we need it:

As part of the Gardener GEP-36: Self-Hosted Shoot Exposure, this PR adds a controller for the SelfHostedShootExposure resource in the extension.

The controller fulfils the respective SelfHostedShootExposure contract and Extension Controller Interface described in the GEP. It used the STACKIT Network Loadbalancing service as backing service to expose the endpoints referenced in the resource Spec, which can be updated by the Gardenlet.

Which issue(s) this PR fixes:
Part of gardener/gardener#13602

Special notes for your reviewer:

I tested this using two approaches:

1. Manual testing via exposing a DaemonSet nginx on a worker pool and providing the worker IPs in a SelfHostedShootExposure picked up by the Extension, you may use make mirrord-run for that.
2. Running integration tests I added (which test basic operations like creation, update of target pools, plan, deletion).

The gardener-extension-provider-stackit/test/integration/selfhostedshootexposure/stackit is not registered as a prow check currently, I could add it if it's worth it (the tests take about 3 minutes or so).

/cc @stackitcloud/ske-gardener

[ske-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ftl for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jamand]

Ah, I have some questions that came to my mind where I'm not sure what if I can completely handle it here or if we need a follow-up? @timebertt
As I've just finished working on gardener/gardener#14420 I realised that the control-plane behind self-hosted shoot exposure does not have any access control implemented now. It's not directly part of the spec. I could add it into the Provider-specific specs and do ACLs at the load balancer level. Then we wouldn't need to care about PROXY Protocol and needing to pass the Client IP through. As it's just the control plane and not different endpoints (like discovery server, ske-api) that may require different access levels, there is no hard need for that to my understanding. We just have to check how to use existing logic to update the ACLs for dynamically changing CIDRs like we do in other use cases.

[jamand]

I added a way to provide AllowedSourceRanges in the Provider specs for now (also setting, modifying, removal tested in the integration tests) in the last commit.