Enable serverless-operator for market-dependant configurations

[kwiatekus]

Description

Make serverless-operator ready for market-specific customisations by:

• opting-in for rt-cfg.kyma-project.io annotations
• configuring serverless image variants for FIPS installations

Acceptance criteria

• decorate serverless-operator deployment with bootsraper opt-in annotations to ensure that bootstraper mutates the pod according to target market on creation:
  • img-registry is altered on restricted markets to use secured registry (rt-cfg.kyma-project.io/alter-img-registry: "true")
  • img pull secret is added to pull from secured registry (rt-cfg.kyma-project.io/add-img-pull-secret: "true")
  • KYMA_FIPS_MODE_ENABLED env is added (rt-cfg.kyma-project.io/set-fips-mode: "true") allowing serverless-operator logic to configure severless controller to run with godebug flag with fips or non fips mode
• decorate serverless controller deployment with bootraper opt-in annotations to ensure that bootstraper mutates it's pod according to target market on creation:
  • img-registry is altered on restricted markets to use secured registry (rt-cfg.kyma-project.io/alter-img-registry: "true")
  • img pull secret is added to pull from secured registry (rt-cfg.kyma-project.io/add-img-pull-secret: "true")
  • KYMA_FIPS_MODE_ENABLED env is added (rt-cfg.kyma-project.io/set-fips-mode: "true") allowing serverless-controller logic to match the target image variants of severless images (fips/non-fips variants for python and node images)
• Modify the serverless controller logic so that it decorates the function pods with annotations that ensure altering img registry URL and adding img pull secret in the function pods
• Modify the serverless controller logic so that with KYMA_FIPS_MODE_ENABLED env set to true, the controller should use the *-fips equivalents when scheduling functions
• serverless operator manifest should provide additional envs with urls of *-fips image equivalents pointing to the kyma's restricted registry that mirrors chainguard images (see attachments)

Reasons

While preserving constant codebase and manifest for serverless for various regulated markets, we need to enable customisations at start time, so that serverless can operate on different markets with different requirements, such as FIPS compliance or pulling images from market-secured registries (RBSC)

Testing Strategy
Introduce a new test for serverless-manager (test suite) verifying that depending on KYMA_FIPS_MODE_ENABLED proper images are used as flags for keda deployment

Attachments

#2115

Documentation of the runtime-bootstraper, which manipulates workloads when they are created:

• https://github.com/tobiscr/rt-bootstrapper/blob/46f8c2f759d1a22a7ff22ae22c92d9a47ab5efba/docs/user/README.md

Pull through proxying of the restricted registry

• https://pages.github.tools.sap/kyma/documentation/kyma-internal/how-to-guides/80-kyma-restricted-registry.html#chainguard-image-references

Configuration fragment showing the fips variant images configured as envs (atm use the same url until #2236 is done)

...
        - name: IMAGE_FUNCTION_RUNTIME_PYTHON312
          value: europe-docker.pkg.dev/kyma-project/prod/function-runtime-python312:1.9.5
        - name: IMAGE_FUNCTION_RUNTIME_PYTHON312_FIPS
          value: europe-docker.pkg.dev/kyma-project/prod/function-runtime-python312:1.9.5
 (same for all  remaining serverless images that will have FIPS/NON-fips variants)
...