We recently enabled sidecar injection in istio-system (OSSM-2221), but now we can get into a situation where the istiod Deployment can't create the istiod Pod unless istiod is already running. 

This means that if the istiod Pod is deleted, it can't start back up, leaving the control plane off-line until someone manually deletes the `sidecar-injector.istio.io` webhook. In addition to istiod, no other control plane Pod can start while istiod is off-line.

To replicate this issue:

1. Run the latest daily build of the operator
2. Delete the istiod Pod:

   kubectl -n istio-system delete -l app=istiod
   

1. Observe that no new istiod Pod appears

   kubectl -n istio-system get po
   

1. Check the events of the istiod ReplicaSet:

   kubectl -n istio-system describe istiod
   

The ReplicaSet shows following Warning event:

Warning  FailedCreate      8m19s (x36 over 43m)  replicaset-controller  Error creating: Internal error occurred: failed calling webhook "sidecar-injector.istio.io": failed to call webhook: Post "https://istiod-minimal.istio-system.svc:443/inject?timeout=10s": dial tcp 10.96.168.8:443: connect: connection refused

We should probably add an objectSelector to the webhook to ensure that the webhook is never applied to istiod Pods. Check the objectSelector in the upstream webhook.

Acceptance criteria:

• ensure the webhook never prevents the creation of the istiod pod