Guardrails VAP replacement

[yjst2012]

Which issue this PR addresses:

ARO-23216 Convert All Policies from Rego to CEL
ARO-23217 Implement VAP Deployment and Version Detection
ARO-23218 Implement Migration Logic

What this PR does / why we need it:

Initial code for Guardrails VAP Replacement

Test plan for issue:

Tested on my cluster

Is there any documentation that needs to be updated for this PR?

Internal eng.ms doc to be updated in a separate pr

How do you know this will function as expected in production?

It should work the same way as in my test env

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[yjst2012]

/azp run ci

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[tuxerrante]

stopVAPTicker does a blocking send on vapTickerDone before closing the channel. While the ticker goroutine is handling ticker.C, it can be inside deployVAP and not selecting on vapTickerDone, so a reconcile that calls stopVAPTicker can block indefinitely. Could we switch this to a non-blocking stop (or cancellation-driven shutdown) so ticker shutdown cannot deadlock? Context:

ARO-RP/pkg/operator/controllers/guardrails/guardrails_vap.go

Lines 200 to 204 in 0e87efd

	func (r *Reconciler) stopVAPTicker() {
	if r.vapTickerDone != nil {
	r.vapTickerDone <- true
	close(r.vapTickerDone)
	}

[tuxerrante]

maybe this could be passed as an argument for a more clear flow, eg:

func (r *Reconciler) vapTicker(ctx context.Context, instance *arov1alpha1.Cluster, done <-chan struct{}) {
...
	case <-done:
			return

...
}


func (r *Reconciler) stopVAPTicker() {
	r.vapTickerMu.Lock()
	done := r.vapTickerDone
	r.vapTickerDone = nil
	r.vapTickerMu.Unlock()
	if done != nil {
		close(done) // non-blocking broadcast stop
	}
}

see comment below