Bind and unbind managed resources conservatively

[negz]

Description of your changes

Fixes #177

The two commits in this PR gate against a handful of possible issues:

1. Composite resource C composes managed resource M. Claim A explicitly sets its resource reference to managed resource M, thereby making M doubly owned by a claim and a composition.
2. Claim A dynamically provisions managed resource M. Claim B runs and wins a race against Claim A to bind to the newly provisioned and bindable M.
3. Claim A dynamically provisions managed resource M. Claim B explicitly sets its resource reference to M, and is then deleted, thereby deleting M which it was never bound to and did not dynamically provision.

We noticed both of these issues during review of #174 (which did not introduce them). I'd like to wait until that PR is merged before I manually test this.

Note (cc @prasek) that one implication of this change is that a resource claim may not claim a managed resource that was statically provisioned by an infrastructure stack. i.e. You could not author an infra stack that created a CloudSQLInstance, then later author a MySQLInstance that claimed that CloudSQLInstance. To my knowledge we don't do this today - infra stacks only provision "unclaimable" supporting infrastructure like VPC networks.

Checklist

I have:

• Run make reviewable to ensure this PR is ready for review.
• Ensured this PR contains a neat, self documenting set of commits.
• Updated any relevant documentation, examples, or release notes.
• Updated the RBAC permissions in clusterrole.yaml to include any new types.

[negz]

@muvaf @hasheddan Can you sanity check the commit I just added that guards against binding to managed resources with controller refs. Do we have any cases where a resource (e.g. a stack) creates and is the controller reference of a managed resource that is intended to be claimable?

[negz]

I've rebased this on #174 (which is now merged) and tested that:

• Dynamic provisioning still works as expected.
• Static provisioning still works as expected.
• Deleting a claim that is trying but failing to dynamically provision a managed resource deletes said managed resource.
• I get an error when I try to nefariously 'unbind' a managed resource that is already bound to a different claim.
• I get an error when I nefariously try to race the claim that dynamically provisioned a managed resource to bind said managed resource.
• I get an error when I try to claim a managed resource that is part of a composition.

[hasheddan]

Do we have any cases where a resource (e.g. a stack) creates and is the controller reference of a managed resource that is intended to be claimable?

We do not currently provision claimable resources in stacks (i.e. all managed resources are network related, and the only other resources are providers or classes). However, we don't explicitly guard against doing so, so a stack could provision a managed resource and I believe it would be unable to be claimed in this situation. I think that is ok as I see stacks likely getting replaced by composition.

[muvaf]

LGTM! I needed to refresh my memory about why we can't add controller ref of claim to the managed resource and the reason was namespaced cannot own cluster-scoped.