Backport of Add support for setting the namespace that the CNI plugin is installed into release/1.0.x

[hc-github-team-consul-ecosystem]

Backport

This PR is auto-generated from #1756 to be assessed for backporting due to the inclusion of the label backport/1.0.x.

WARNING automatic cherry-pick of commits failed. Commits will require human attention.

merge conflict error: POST https://api.github.com/repos/hashicorp/consul-k8s/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.

---

Kubernetes 1.25 uses the PSA system which controls pod security standards at the namespace level.
The CNI plugin requires elevated permissions which would otherwise interfere with setting the rest of the consul-k8s resources compliant with restricted modes of the PSA.
By allowing the CNI plugin to be installed into another namespace, like kube-system or consul-system we can still run the rest of Consul in restricted mode while the CNI plugin runs in another elevated namespace.
This is a common workflow for other CNI plugins:

demo $ k get pods -A
NAMESPACE            NAME                                        READY   STATUS    RESTARTS      AGE
calico-apiserver     calico-apiserver-db5d9d654-hlf62            1/1     Running   0             19h
calico-apiserver     calico-apiserver-db5d9d654-w5ljk            1/1     Running   0             19h
calico-system        calico-kube-controllers-5d95c5d5fb-7vm9h    1/1     Running   0             19h
calico-system        calico-node-9tglm                           1/1     Running   0             19h
calico-system        calico-typha-664b86ccfd-bs65l               1/1     Running   0             19h
calico-system        csi-node-driver-tftld                       2/2     Running   0             19h

Changes proposed in this PR:

• Introduces a new field namespace into the connectInject.cni stanza which controls which namespace CNI related resources are installed in.

How I've tested this PR:
Unit tests + manually test by installing the plugin:

$ cat x.yaml
connectInject:
  enabled: true
  cni:
    enabled: true
    namespace: kube-system

$ helm install consul /Users/kyle/go/src/github.com/hashicorp/consul-k8s/charts/consul -f x.yaml
<snip>

$ k get pods -A
NAMESPACE            NAME                                        READY   STATUS    RESTARTS      AGE
calico-apiserver     calico-apiserver-db5d9d654-hlf62            1/1     Running   0             20h
calico-apiserver     calico-apiserver-db5d9d654-w5ljk            1/1     Running   0             20h
calico-system        calico-kube-controllers-5d95c5d5fb-7vm9h    1/1     Running   0             20h
calico-system        calico-node-9tglm                           1/1     Running   0             20h
calico-system        calico-typha-664b86ccfd-bs65l               1/1     Running   0             20h
calico-system        csi-node-driver-tftld                       2/2     Running   0             20h
kube-system          consul-consul-cni-94n62                     1/1     Running   0             13s

Note to Reviewers:

• Is there anything in the consul-k8s cli that might need to change for this?

How I expect reviewers to test this PR:
👀

Checklist:

• Tests added
• CHANGELOG entry added

  HashiCorp engineers only, community PRs should not add a changelog entry.
  Entries should use present tense (e.g. Add support for...)

---

Overview of commits

• eff5c19 - 78bf978 - 750d458

[david-yu]

In favor of the backport here to allow us to support PSA in 1.0.x for k8s 1.25.x