feat(operator): add ACL watcher sidecar image

[rkthtrifork]

Summary

• Add a tiny ACL watcher sidecar image (inotify + redis-cli) to reload ACLs when the mounted file changes.
• Wire the sidecar into Dragonfly pods when spec.aclFromSecret is configured.
• Add Makefile targets and CI workflow steps to build/publish the ACL watcher image.

Motivation

Mounted Secret updates are eventually consistent. The sidecar watches the ACL file and runs ACL LOAD after the file actually changes.

Notes

• spec.authentication.passwordFromSecret is not automatically updated since its inject through an environment variable. It could make sense to document this and recommend use aclFromSecret if possible.

Testing

• Not done. I would like to confirm interest in this approach before investing time in testing.

Issue

#479

[rkthtrifork]

Alternative implementation: small Go binary that does the same and runs in a distroless container for improved security. I have already implemented that locally and would like to use it if you agree it is sensible

EDIT: I have done this because i think its more production ready and it was a fairly small change

[Abhra303]

Hi @rkthtrifork, having a separate acl watcher sidecar sounds like overdoing. Have you considered extending the reconciler to do so?

[rkthtrifork]

Hi @rkthtrifork, having a separate acl watcher sidecar sounds like overdoing. Have you considered extending the reconciler to do so?

I considered it, but the mounted ACL file is updated asynchronously by kubernetes. If the controller watches the secret then it will trigger immediately which will usually be before the mounted ACL file has updated.

Alternatively, the controller should watch the secret and apply the changes through the dragonfly API, but then its not the mounted file thats the source of truth anymore which creates the problem of drift. Im not a fan of that.