Ability to customize CNI ports

[ncdc]

/kind feature

Describe the solution you'd like
While #392 requests the ability to customize security group rules, the solution for that will require rethinking how we declaratively manage multiple aspects of networking (VPC, security groups, etc). We'd like to tackle that as part of a new v1alpha4 API version.

In the meantime, it would be nice to modify v1alpha3 to allow the user to customize which ports are open for a CNI to be functional. We currently hard-code rules for BGP and IP-in-IP (for Calico). Some of our users are interested in trying Antrea, which requires one UDP port for the overlay protocol (VXLAN or Geneve, for example), and another TCP port to enable Antrea agent-to-controller communications.

To add Antrea support, we could add these rules on top of the Calico ones, but that would open more ports than required. Rather than do this, we'd like to do the following:

1. Do not make any changes to the current set of defaults (i.e., continue to configure for Calico)
2. Do not make any changes that break current CAPA clusters
3. Adjust the AWSCluster spec to allow CNI port configuration
   1. Maybe something like spec.networkSpec.cni (optional / pointer), which looks like this (names TBD):

type CNISpec struct {
  IngressRules infrav1.IngressRules
}

4. Add defaulting webhook logic for this cni field
   1. If nil, fill in the Calico rules that are currently hard-coded in securitygroups.go
5. Remove the Calico rules from securitygroups.go
6. Modify securitygroups.go to merge the current set of hard-coded rules (SSH, etcd, etc.) with the new CNI rules from the AWSCluster spec

cc @detiber @vincepri @randomvariable - did I capture this accurately?

[ncdc]

/assign @gab-satchi