SDL support for confidential compute

[linear]

Add support to akash-network/provider for scheduling and operating tenant workloads inside confidential VMs backed by Kata Containers on AMD SEV-SNP hosts, with optional NVIDIA GPU confidential compute via the kata-qemu-nvidia-gpu-snp runtime class. Implements the provider-side half of the tenant-attestation architecture defined in AEP-83 Section 6, including a mutating admission webhook that injects an attestation sidecar, an untrusted directory API for endpoint discovery and the operational glue to route confidential workloads to nodes with the required hardware capabilities.

This implementation is subject to structural changes as development progresses due to the complex and changing nature of confidential compute.

Architectural invariants

These are load-bearing and must not be compromised during implementation:

1. The provider does not produce or sign attestation verdicts. The directory API returns routing hints and tenant-validatable expectations only. The sidecar returns raw hardware-signed evidence.
2. The attestation sidecar (optional) runs inside the same Kata VM as the tenant workload (same pod), not on the host plane. It inherits the confidential VM's hardware-rooted identity.
3. The directory API is explicitly untrusted. Staleness is communicated via HTTP `Cache-Control`, not protocol-level TTL. Tenants validate directory responses against cryptographic evidence. (trusted parties, ITA, etc…)
4. The tenant supplies the nonce end-to-end. The provider never generates or substitutes nonces.
5. The sidecar supports both attestation surfaces (configfs-tsm and`/dev/sev-guest`), detected at runtime, not configured at build.
6. The required node selectors (`katacontainers.io/kata-runtime=true`, `nvidia.com/cc.ready.state=true`,`amd.feature.node.kubernetes.io/snp=true`) are enforced at scheduling time for any deployment with `attestation: enabled: true` and a GPU resource.