Consider full reconciliation for Istio prerequisite resources

[aslakknutsen]

Background

The operator creates a ServiceEntry and DestinationRule at startup via IstioPrerequisites.apply() using server-side apply. These resources are required for the RuleSet cache server to be reachable from Envoy sidecars within the mesh.

Currently this is fire-and-forget: the resources are applied once during startup and never checked again. If someone manually deletes or modifies them, the operator won't notice or restore them.

Flagged during review of #143.

Question

Should these resources be fully reconciled (e.g. via a controller watch or periodic re-apply)?

Arguments for reconciliation

• Self-healing: if the ServiceEntry/DestinationRule is accidentally deleted or modified, the operator recovers automatically
• Consistency with how the operator manages other resources (WasmPlugin, etc.)

Arguments against

• These are static resources that rarely change — overkill to watch them
• Adds controller complexity and RBAC surface (would need list/watch on networking.istio.io resources)
• The operator already fails clearly if they're missing (cache server unreachable)

Current code

• internal/controller/istio_prerequisites.go — apply() method
• Called once from cmd/main.go during startup