Improve Reconciling initializer logic feature

[OlegErshov]

Problem

Currently, security-operator has a feature that keeps already-initialized logical clusters up to date by reconciling LogicalClusters and applying the same logic as the initializer.

This functionality has a problem with the upcoming scoped kubeconfigs feature:

• Controllers reconciling LogicalClusters are located in the operator cobra command
• These controllers use the core.platform-mesh.io APIExport
• The core.platform-mesh.io APIExport cannot reference resources from system.platform-mesh.io APIExport in its PermissionClaims (where the IDP resource is located)
• Therefore, these controllers cannot operate on IDP resources using manager.GetCluster(clusterName).GetClient(), which is required for scoped kubeconfigs

Proposed Solution

1. Move controllers that reconcile LogicalClusters and apply initializer logic into the system cobra command
2. Add required PermissionClaims for initializing resources to the system.platform-mesh.io APIExport

Challenge: Multi-Provider Cluster Name Prefixing

The Store controller requires a multi provider with both APIExports (system and core). Multi-provider changes cluster names in the cache from just a cluster name to
providerName#clusterName.

The Issue

• Initialization logic needs access to the :root:orgs workspace
• In the multi-provider cache, this workspace will be referenced as:
  • system#root:orgs
  • core#root:orgs

The Conflict

• In subroutine code: To access root:orgs using multi-provider, it's required to add a provider prefix
• In Initializer itself: Uses the initializing provider, which will have just root:orgs in its cache (without prefix)

This makes it harder to use the same subroutines for:

1. The initializer itself
2. Controllers that apply the same logic on already-initialized LogicalClusters

Affected Components:

• cmd/operator.go
• cmd/system.go
• internal/controller/orglogicalcluster_controller.go
• internal/controller/accountlogicalcluster_controller.go