Create domain policy

This defines a new ConstraintTemplate that will supersede the IngressAllowedDomain template. The idea here is that there is a single list of domains and the policy can be extended to validate various objects with those domains. In this case, it's validating both Ingress and Certificate objects. In the future, we could extend it to support Gateway objects (if we ever move to that). By creating a new constraint, we can cut over to this one without downtime and eventually remove the old template.