feat(helm): limit webhooks only to namespaces with kuma.io/sidecar-injection label

[lukidzi]

Motivation

Webhooks currently use a very broad namespace selector that only excludes the kube-system namespace. To improve both security and performance, we’ve decided to restrict webhooks to only watch namespaces that have the kuma.io/sidecar-injection label.

Implementation information

• Update the namespace selector to include only namespaces labeled with kuma.io/sidecar-injection, or kuma-system (for mesh defaulter/owner reference cases).
• Add an UPGRADE.md section with a Bash script that checks for pods participating in the mesh that are located in namespaces without the kuma.io/sidecar-injection label

Needs: #13377

Supporting documentation

Fix #13372

[github-actions]

Reviewer Checklist

🔍 Each of these sections need to be checked by the reviewer of the PR 🔍:
If something doesn't apply please check the box and add a justification if the reason is non obvious.

• Is the PR title satisfactory? Is this part of a larger feature and should be grouped using > Changelog?
• PR description is clear and complete. It Links to relevant issue as well as docs and UI issues
• This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as an image registry)
• IPv6 is taken into account (.e.g: no string concatenation of host port)
• Tests (Unit test, E2E tests, manual test on universal and k8s)
  • Don't forget ci/ labels to run additional/fewer tests
• Does this contain a change that needs to be notified to users? In this case, UPGRADE.md should be updated.
• Does it need to be backported according to the backporting policy? (this GH action will add "backport" label based on these file globs, if you want to prevent it from adding the "backport" label use no-backport-autolabel label)

[slonka]

Some suggestions for upgrade.md and there is definitely something that got merged badly because one point is in the middle of another