Add baseImage validation, status field, and documentation

[ivanauth]

Summary

Improvements to the alternative container registry feature (PR #367):

• Validate baseImage format: Reject tags (:tag) and digests (@sha256:...) in baseImage field, while correctly allowing port numbers in registry URLs (e.g., registry:5000/image)
• Add CEL validation: Early validation at Kubernetes API level for faster feedback
• Surface resolved base image in status: New status.resolvedBaseImage field for debugging
• Add documentation and examples: User-facing docs with common use cases and pitfalls

Relates to #387

Changes

• Add validation in pkg/config/config.go to reject invalid baseImage values
• Add ResolvedBaseImage field to ClusterStatus in pkg/apis/authzed/v1alpha1/types.go
• Add CEL validation rules to CRDs
• Add examples/alternative-registry/ with README and example manifests
• Add comprehensive tests for validation edge cases