Implement APIKeyRequest CRD and shadow resource controller

[eguzki]

Description

Define APIKeyRequest CRD and implement controller to automatically create shadow resources in owner's namespace for RBAC-enforced request discovery.

Acceptance Criteria

• Define APIKeyRequest CRD (devportal.kuadrant.io/v1alpha1) with spec fields: apiKeyRef.name, apiKeyRef.namespace, requestedBy, useCase, planTier, apiProductRef
• Implement controller that watches APIKey resources cluster-wide
• Automatically create APIKeyRequest in owner's namespace (APIKey.spec.apiProductRef.namespace) when APIKey is created
• CRITICAL: Implement explicit cleanup mechanism (OwnerReferences cannot be cross-namespace) to ensure APIKeyRequest is deleted when corresponding APIKey is deleted
• Sync status.conditions from APIKey to APIKeyRequest (excluding apiKeyValue for security isolation)
• Handle updates to APIKey by syncing to APIKeyRequest
• Generate CRD manifests and add to operator deployment
• Document in README
• Add unit tests for shadow resource creation
• Add integration tests for synchronization logic
• Add e2e tests for cleanup mechanism

Related

• Epic: RBAC system for developer portal capabilities kuadrant-console-plugin#353
• Design doc: docs/designs/2026-03-26-api-management-rbac-design.md