fix: adding flag to validate rego for templates

[JaydipGabani]

What this PR does / why we need it: Introducing flag to validate rego in constraint template.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #3008

Special notes for your reviewer:
I am not erroring out if experimental-enable-k8s-native-validation and validate-template-rego both are enabled at the same time as we discussed. Instead, the behavior is if validate-template-rego is enabled then any templates with cel will be rejected with the error "invalid rego", but the templates that exist in the cluster already with cel will still work (feels like less breaking change with this approach). Additionally, updates on cel templates will throw an "invalid rego" error as well. I do not have any issue with erroring out, so let me know if this is not the desired approach and I will make changes accordingly to error out if both are enabled at the same time.

[codecov-commenter]

Codecov Report

Attention: 11 lines in your changes are missing coverage. Please review.

Comparison is base (5c99159) 52.49% compared to head (c95da90) 52.41%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3026      +/-   ##
==========================================
- Coverage   52.49%   52.41%   -0.08%     
==========================================
  Files         134      134              
  Lines       11937    11948      +11     
==========================================
- Hits         6266     6263       -3     
- Misses       5179     5192      +13     
- Partials      492      493       +1     

Flag	Coverage Δ
unittests	52.41% <0.00%> (-0.08%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
pkg/webhook/policy.go	33.46% <0.00%> (-0.77%)	⬇️

... and 3 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[maxsmythe]

Thanks for doing this!

Should we also update the instructions in the VAP demo readme?

[ritazh]

I am not erroring out if experimental-enable-k8s-native-validation and validate-template-rego both are enabled at the same time as we discussed.

IMO it’s better to fail early when both flags are used especially because the new flag is enabled by default so the GK/cluster operator can make the decision whether or not they need this new flag enabled if they have enabled the vap flag in their environment already. Getting the error when a vap policy is used seems too late and requires extra work for the policy owner to work with the GK/cluster operator to update the flags.

[maxsmythe]

LGTM, thanks for doing this!

[ritazh]

LGTM