Add a pod-level opt-out for ambient DNS proxying, in preparation for enabling that by default globally (#3361)

* Add a pod-level opt-out for ambient DNS proxying, in preparation for enabling that by default globally.

Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io>

* Add relnote

Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io>

* Change to `ambient.istio.io/dns-capture` as per review comments

Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io>

* Wording tweak

Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io>

* Fixup relnote

Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io>

---------

Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io>

Author: bleggett

annotation/annotations.gen.go

@@ -582,3 +582,13 @@ annotations:
     hidden: false
     resources:
       - Pod
+
+  - name: ambient.istio.io/dns-capture
+    featureStatus: Alpha
+    description: |
+      When specified on a `Pod` enrolled in ambient mesh, controls whether DNS traffic (TCP and UDP on port 53) will be captured and proxied in ambient.
+      Note that setting this to `false` will break some Istio features, such as ServiceEntries and egress waypoints, but may be desirable for workloads that interact poorly with DNS proxies.
+    deprecated: false
+    hidden: true
+    resources:
+      - Pod

annotation/annotations.yaml

@@ -0,0 +1,8 @@
+apiVersion: release-notes/v2
+kind: feature
+area: traffic-management
+issue:
+- 49829
+releaseNotes:
+- |
+    **Added** `ambient.istio.io/dns-capture` annotation. When specified on a `Pod` enrolled in ambient mesh, DNS traffic (TCP and UDP on port 53) will not be captured or proxied. This will break some Istio features, such as ServiceEntries and egress waypoints, but may be desirable for workloads that interact poorly with DNS proxies.