feat(inject): add proxy-additional-env annotation for per-scope env overrides

[relu]

Add support for a generic annotation that allows setting additional proxy environment variables via a JSON-encoded list of Kubernetes EnvVar objects on namespaces and workloads.

During injection, env vars are merged by name with precedence: Helm proxy.additionalEnv < namespace annotation < workload annotation

This provides a generic mechanism for per-namespace/workload proxy env var overrides without requiring dedicated annotations for each new proxy setting.

Addresses #15152

[alpeb]

Thanks @relu , looks great!

Please add a reference to this new annotation in the ProxyAnnotations slice. This will allow for AppendNamespaceAnnotations to consider it, and be properly inherited to workloads from namespace, if the workload doesn't have it already. I understand this would be redundant with what MergeAdditionalEnv already does, but IMO it would be more aligned with the behavior of the other annotations, and make things a little less surprising.

Also please a new entry in cli/cmd/doc.go.

I'm checking why the multicluster integration test is failing...

[alpeb]

Thanks for the quick turnaround. One last ask: can you also expand TestInjectAutoNamespaceOverrideAnnotations with this annotation, so we get integration test coverage as well?

[alpeb]

The tests are failing because the PatchDeploy function isn't properly escaping the annotation value. Can you please fix that?

[relu]

Opted for a change to PatchDeploy itself so that the output is escaped accordingly.

[alpeb]

All green! Thanks again @relu !