firewall_controller: honor firewall-managed annotation and loadBalancerSourceRanges for LoadBalancer services

[elkh510]

Fixes #911

Changes

1. Extend isManaged() check to LoadBalancer services

The kubernetes.digitalocean.com/firewall-managed: "false" annotation was silently ignored for LoadBalancer services - isManaged() was only called in the NodePort branch. This change adds the same check to the LoadBalancer branch so the annotation works consistently across both service types.

2. Use spec.loadBalancerSourceRanges as inbound rule sources

For REGIONAL_NETWORK + external LoadBalancer services, service port inbound rules were always created with hardcoded 0.0.0.0/0 / ::/0 sources. This change reads spec.loadBalancerSourceRanges (already parsed elsewhere for LB-level firewall rules) and uses those CIDRs as the source addresses in the worker firewall inbound rules when set.

Health check port rules are unaffected - they continue to use LoadBalancerUIDs as source.

Internal (network: internal) LBs are unaffected - they are excluded by the existing lbNetwork == External guard and no worker firewall rules are added for them.

Tests

Two new test cases added to TestFirewallController_createReconciledFirewallRequest:

• skip REGIONAL_NETWORK LB service when firewall-managed annotation is false
• use loadBalancerSourceRanges as inbound rule sources for REGIONAL_NETWORK LB

[elkh510]

hi @gottwald @sreeram-venkitesh @sriritwikdo — could you please take a look when you have a moment? This fixes the two issues described in #911.