PrivateLink clusters have their API server fronted by a VPCE Service - this VPCE service is created with a single allowed principal of the IAM entity Hive is using and then enforces/reconciles this: https://github.com/openshift/hive/blob/a24b27f30b73bf7def116663035137d47e5eaafb/pkg/controller/awsprivatelink/awsprivatelink_controller.go#L694-L712

However, in HyperShift, we have the need to not only have multiple allowed principals, but add allowed principals over time (post-install) to enable the design in https://docs.google.com/document/d/1e-3pphlJ6JvfA8pb-Niw6bgCMPxpyvUn6wkeK8oAsRU/edit# .

Done Criteria:

• A CustomResource that can be modified over time to add additional allowed principal ARNs to a PrivateLink cluster's VPC Endpoint Service