Fix: Protect CRD upgrade safety preflight behind feature flag

CRD upgrade safety preflight checks run unconditionally and is not protected under the feature flag
causing massive error messages and breaking the ClusterExtension upgrades with "Too long: may not be more than 32768 bytes".

Commit cab41aa added CRD upgrade safety preflights without feature flag protection:

```go
// Always runs for everyone - not protected
preflights := []controllers.Preflight{
    crdupgradesafety.NewPreflight(...),
}
```

Later, commit 543f099 added PreflightPermissions feature flag but only protected
the RBAC preauthorizer, leaving CRD upgrade safety unprotected.

Move CRD upgrade safety behind the existing `PreflightPermissions` feature flag:

```go
// Only runs when feature flag enabled
if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
    preflights = append(preflights, crdupgradesafety.NewPreflight(...))
}
```

- **By Default**: Users get normal upgrades without CRD validation
- **By Opt-In with Feature flag**:  enable PreflightPermissions=true for CRD safety checks

Fixes issue introduced in cab41aa

Author: camilamacedo86

cmd/operator-controller/main.go

@@ -417,13 +417,12 @@ func run() error {
 		return err
 	}
 
-	preflights := []applier.Preflight{
-		crdupgradesafety.NewPreflight(aeClient.CustomResourceDefinitions()),
-	}
-
-	// determine if PreAuthorizer should be enabled based on feature gate
+	var preflights []applier.Preflight
 	var preAuth authorization.PreAuthorizer
+
+	// determine if preflight checks should be enabled based on feature gate
 	if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
+		preflights = append(preflights, crdupgradesafety.NewPreflight(aeClient.CustomResourceDefinitions()))
 		preAuth = authorization.NewRBACPreAuthorizer(mgr.GetClient())
 	}