Add multi-NIC support to EgressGateway

[fasaxc]

Summary

• Adds spec.network to EgressGateway so the primary pod interface can attach to a named Calico v3.Network (VRF today, L2 incoming) via the cni.projectcalico.org/networks annotation. Mutually exclusive with the (deprecating) spec.externalNetworks, enforced with a CEL rule.
• Adds spec.additionalInterfaces[] (max 9) to attach secondary NICs through Multus NetworkAttachmentDefinition references. Each entry has a deterministic pod-side interface name plus an attachment union (only multus for now; comment block reserves space for a native Calico-Network arm later).
• Controller discovers the NAD CRD at startup, conditionally watches NADs, and refuses to render additionalInterfaces unless Installation.spec.calicoNetwork.multiInterfaceMode=Multus and the NAD CRD is installed. Missing referenced NADs are a soft warning so NAD/EGW creation order doesn't fail reconcile.
• Render emits k8s.v1.cni.cncf.io/networks JSON for the secondary NICs and cni.projectcalico.org/networks for the primary's Network.

Design discussion / decisions captured in: `~/.claude/plans/write-up-the-plan-recursive-octopus.md`

Status

Draft. Open items I'd appreciate review on before un-drafting:

• Per-secondary ipPools wire path. The API surface accepts `ipPools` per `additionalInterfaces[]` entry, but the Multus → Calico IPAM plumbing (passing pool selection through `cni-args` in the Multus JSON) is not yet implemented and not yet verified end-to-end. The field is reserved; first render pass leaves it as a no-op. We should either wire it through `cni-args` or temporarily reject the field in validation, both additive follow-ups.
• AWS `nativeIP` + `spec.network` interaction is intentionally not validated in v1 (deferred).
• `externalNetworks` deprecation milestone — the CEL rule blocks setting both, but no removal timeline is in this PR.

Test plan

• `make gen-files` (regenerates deepcopy + CRD manifest cleanly)
• `go test ./pkg/render/egressgateway/...` (existing + 3 new cases: `network` annotation, multus annotation JSON, no-annotation default)
• `go test ./pkg/controller/egressgateway/...` (existing + 3 new cases: reject when `MultiInterfaceMode != Multus`, reject when NAD CRD absent, soft-warning when NAD missing)
• `go vet ./pkg/controller/egressgateway/... ./pkg/render/egressgateway/... ./pkg/controller/utils/... ./internal/controller/...`
• Manual smoke test on kind: install Multus, set `multiInterfaceMode=Multus`, create a NAD, apply an EgressGateway with `additionalInterfaces`, verify `ip link` inside the pod shows the secondary interface and that the pod annotations match. Pending.
• Negative manual: `multiInterfaceMode` unset → EGW shows Degraded with the documented message; delete the NAD → warning surfaces but Deployment remains.

🤖 Generated with Claude Code