test: add e2e tests for TLS security profile watcher

Add end-to-end tests that verify the operator correctly watches the
APIServer CR for TLS security profile changes and restarts accordingly.

Test scenarios:
- Operator is running and healthy with the default (nil/Intermediate) TLS profile
- Operator restarts when TLS profile changes to Old
- Operator restarts when TLS profile changes to a Custom profile
- Operator does NOT restart when a non-TLS field (annotation) is modified

The test file is prefixed with zz_ to ensure it runs last in the e2e
suite, since modifying the APIServer TLS profile triggers a
MachineConfigPool rollout which can be disruptive to other tests.

Assisted by Claude Code.

Author: IshwarKanse