Add Kyverno policy to enforce staleReplicaTimeout=60 on Longhorn Volumes

What does this MR do and why?

This MR introduces a Kyverno Policy as Unit to enforce spec.staleReplicaTimeout = 60 for all Longhorn Volumes.

Key points:

• Applies to both new and existing volumes via background: true and mutateExistingOnPolicyUpdate: true.

• Updates Kyverno RBAC to grant necessary permissions (get, list, watch, patch, update) on longhorn.io/volumes for the background controller.

• Ensures consistent Longhorn volume behavior across the cluster by fixing staleReplicaTimeout retroactively and on new volume creation.

closes: #2520 (closed)

Related discussion: !4672 (comment 2751200287)

Test coverage

CI configuration

Below you can choose test deployment variants to run in this MR's CI.

Click to open to CI configuration

Legend:

Icon	Meaning	Available values
☁️	Infra Provider	capd, capo, capm3
🚀	Bootstrap Provider	kubeadm (alias kadm), rke2, okd, ck8s
🐧	Node OS	ubuntu, suse, na, leapmicro
🛠️	Deployment Options	light-deploy, dev-sources, ha, misc, maxsurge-0, logging, no-logging, openbao
🎬	Pipeline Scenarios	Available scenario list and description

• ☁️ capm3 🚀 rke2 🐧 suse
• ☁️ capm3 🚀 rke2 🎬 sylva-upgrade-from-1.4.x 🛠️ ha 🐧 suse

Global config for deployment pipelines

• autorun pipelines
• allow failure on pipelines
• record sylvactl events

Notes:

• Enabling autorun will make deployment pipelines to be run automatically without human interaction
• Disabling allow failure will make deployment pipelines mandatory for pipeline success.
• if both autorun and allow failure are disabled, deployment pipelines will need manual triggering but will be blocking the pipeline

Be aware: after configuration change, pipeline is not triggered automatically. Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.