Fix small CRD issue with toGroups

[lbernail]

Fixes: f0049da ("pkg/k8s: fix all structural issues with CNP validation")

In 1.8.1, the CNP CRD uses the following for egress toGroups rules:

			"toGroups": {
				Type: "object",
				Description: `ToGroups is a list of constraints that will
				gather data from third-party providers and create a new
				derived policy.`,
				Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
					"aws": AWSGroup,
				},
			}

However the rule expects toGroups to be an array. From the doc example:

  egress:
  - toGroups:
    - aws:
        securityGroupsIds:
        - 'sg-0f2146100a88d03c3'

This commit modifies the CRD to be consistent with the rule spec to avoid validation errors from Kubernetes.

Fix toGroups CRD to address validation errors 

[aanm]

LGTM, can you add a Fixes: f0049da61f4f ("pkg/k8s: fix all structural issues with CNP validation") to your commit?

[coveralls]

Coverage decreased (-0.02%) to 36.918% when pulling d23446c on DataDog:lbernail/togroups-crd into 7afc2a9 on cilium:master.

[aanm]

test-me-please

[aanm]

test flake was fixed in upstream merging

[joestringer]

@lbernail @aanm are there any upgrade implications to this change?

[joestringer]

Possible upgrade implication with schema version, please take a look at the v1.6 backports. We will need to come to a shared understanding of that version and consistently backport to other branches based on it.

[lbernail]

are there any upgrade implications to this change?

@joestringer it worked fine from 1.8.1 to master but I haven't tested with earlier versions. Is validation enabled before 1.8? Because if it is it means toGroups has been broken for a while

[joestringer]

The related code for the schema has been around since v1.6, Not sure which versions that the schema validation is enabled for, but I seem to recall some upgrade notes early in v1.7 cycle around this.

Thinking this through, my take is that this PR tightens the CRD validation and should only affect users who currently run policies that would not pass the new validation. If they follow the upgrade instructions (specifically the preflight check) to validate their policies prior to upgrade, then they will not hit any issues.