Upstream issue

Goal:

We should allow users to customize how the manifests are applied, ideally through a separate CRD, so that it can be access-controlled through Kubernetes RBAC. This is important, as we want to give mesh operators the ability to define who can make manifest customizations, as they're quite powerful and have security implications.

Acceptance Criteria:

• Users can define specific fields that should never be overwritten by the operator (e.g. "don't overwrite changes to my ServiceAccount's pullSecret field")
• Users can override specific fields on their resources (e.g. "add the label 'managed-by: platform-team' to all resources created by the operator) even if the helm charts define a different value
• Users can target specific resources, resource kinds or use wildcards to apply these rules (e.g. "add label to all Deployments", "set spec.type to NodePort on the istiod service")
• Different rules for resource creation and resource updates can be defined (e.g. "create the istiod Service as usual from the helm chart, but if a user makes a change to the spec.type field, preserve that change during updates")
• We should be able to use the same logic to define internal defaults, e.g. "never update the failurePolicy on a webhook" as those are managed by istiod. This doesn't necessarily have to happen through a CRD but maybe just an internal representation (manifest customization defaults)