[FLINK-XXXX] [helm] Add ValidatingAdmissionPolicy to protect FlinkBlueGreenDeployment child resources

[james-kan-shopify]

What is the purpose of the change

This pull request adds a Kubernetes native ValidatingAdmissionPolicy to protect child FlinkDeployment resources managed by FlinkBlueGreenDeployment from direct modifications. When enabled, users won't be able to modify the FlinkDeployment spec directly, only by modifying the FlinkBlueGreenDeployment spec can the changes be applied, in which the operator handles all updates to child deployments. This prevents accidental or unauthorized changes that could disrupt blue/green transitions.

Brief change log

• Added ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding Helm template in templates/policies/bluegreen_admission_policy.yaml
• Added blueGreenAdmissionPolicy configuration section to values.yaml (disabled by default)
• Added configuration documentation to docs/content/docs/operations/helm.md including Helm values table entries
• Added Helm unit tests in tests/policies/bluegreen_admission_policy_test.yaml

Verifying this change

This change added tests and can be verified as follows:

• Added Helm unit tests that verify:
  • Policy is not created when blueGreenAdmissionPolicy.create=false
  • Policy and binding are created when enabled
  • CEL expression correctly references the operator's service account
  • Custom service account names are correctly templated
  • Correct failurePolicy and validationActions are applied
  • Policy only matches UPDATE operations on flinkdeployments
• Manually verified by rendering templates with helm template and confirming the CEL expression correctly allows only the operator's service account to update FlinkDeployments owned by FlinkBlueGreenDeployment

Does this pull request potentially affect one of the following parts:

• Dependencies (does it add or upgrade a dependency): no
• The public API, i.e., is any changes to the CustomResourceDescriptors: no
• Core observer or reconciler logic that is regularly executed: no

Documentation

• Does this pull request introduce a new feature? yes
• If yes, how is the feature documented? docs (added "Blue/Green Admission Policy" section to helm.md and configuration entries to the Helm values table)