Description of problem:

As a follow up to https://issues.redhat.com/browse/OCPBUGS-69434 and its bug fix, we want to create and enable VAPs for Core CAPI IPAM CRDs (in techpreview) to add required validation which doesn't involve mandatorily reaching out to a validating webhook which we can't reach at bootstrap.

DOD:

• Create ValidatingAdmissionPolicies for Core CAPI IPAM kinds that mimic what's being validated in their validating webhooks upstream:
  • https://github.com/kubernetes-sigs/cluster-api/blob/main/internal/webhooks/ipaddress.go 
  • https://github.com/kubernetes-sigs/cluster-api/blob/main/internal/webhooks/ipaddressclaim.go 
• Ship those in o/cluster-api's transport configmaps so they can be installed by the cluster-capi-operator

The overall plan for this is:

• (short term) set the IPAM webhooks to failurepolicy: Ignore (as we do for MAPI validations) to allow to fix the bug (https://github.com/openshift/cluster-api/pull/256#issuecomment-3661233521)
• follo-up with defining VAPs to replace the webhooks upstream (I know there were discussions about doing this upstream, so we can propose that there maybe) (this card)
• meanwhile carry the VAPs ourselves downstream for IPAM
• once upstream drops the webhooks in favour of VAPs, drop our carries altogether