AWS IAM: ensure cleanup of IAM roles using finalizer

[orishoshan]

Description

Prior to this PR, in some circumstances, AWS IAM roles created by the credentials operator could be left dangling, when the operator was not available while the Pods and ServiceAccounts responsible for their creation were removed or modified.

Finalizers are now used to ensure that this doesn't happen.
Pods have a finalizer added to them in the pod webhook. This finalizer does the minimal amount of work - when a pod is terminating, it modifies a label on the linked ServiceAccount and removes the finalizer, or if the ServiceAccount no longer exists, it simply removes the finalizer. This is done to enable the pod to terminate as soon as possible.
The bulk of the work is done on the ServiceAccount, where IAM roles will be removed if it is labeled as having no related pods (by the pod reconciler's finalizer) or if the ServiceAccount itself is terminating.

References

Related: otterize/intents-operator#309

Testing

Describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

Please include any manual steps for testing end-to-end or functionality not covered by unit/integration tests.

Also include details of the environment this PR was developed in (language/platform/browser version).

• This change adds test coverage for new/changed/fixed functionality

Checklist

• I have added documentation for new/changed functionality in this PR and in github.com/otterize/docs