feat: add STS web identity and stabilize live e2e

[GatewayJ]

Type of Change

• New Feature
• Bug Fix
• Documentation
• Performance Improvement
• Test/CI
• Refactor
• Other:

Related Issues

N/A

Summary of Changes

This PR adds the operator STS web identity path and stabilizes the live e2e workflow around it.

• Add the namespaced PolicyBinding API, generated CRDs, RBAC, Helm/k8s-dev manifests, and an operator STS service endpoint.
• Add STS request parsing, TokenReview identity validation, PolicyBinding lookup, session policy merging, RustFS admin/client calls, XML response rendering, and console runtime wiring.
• Add STS unit, manifest, and live e2e coverage.
• Make e2e-live-run repeatable by resetting Tenant/PVC/PV/hostPath fixtures before the suites run, while sts_functional reuses the Ready smoke Tenant instead of recreating storage.
• Preload cert-manager images into Kind during live environment creation and verify cert-manager rollout before TLS live suites.

Checklist

• I have read and followed the CONTRIBUTING.md guidelines
• Passed make pre-commit (fmt-check + clippy + test + console-lint + console-fmt-check)
• Added/updated necessary tests
• Documentation updated (if needed)
• CHANGELOG.md updated under [Unreleased] (if user-visible change)
• CI/CD passed (if applicable)

Impact

• Breaking change (CRD/API compatibility)
• Requires doc/config/deployment update
• Other impact: adds a new STS endpoint and live e2e environment reset behavior.

Verification

make pre-commit
make e2e-live-create
make e2e-live-run
make e2e-live-run

Additional Notes

The repeated make e2e-live-run verification checks that local PVs and hostPath data are reset between live runs and that STS reuses the smoke Tenant without destabilizing PVC binding.

---

Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.