What would you like to be added:
cidr flag completion for the ssh command.

The completion should return:

• the public IPs using the ipify service
• the IPs of the systems network interfaces, excluding down and loopback interfaces.

This adds some convenience for the user to specify the correct CIDR range that should be allowed to access the bastion. Alternatively the user should still be able to specify a different CIDR that is not part of the completion (e.g. because of natting).

Why is this needed:
When running the ssh command you can pass the cidr range as flag that should be allowed to access the bastion via flag. For more details on the SSH-flow see GEP-15

If it is not provided, gardenctl tries to guess the proper IP/CIDR range by using a public service (https://www.ipify.org/ in particular).
However using the public IP may not work in all scenarios, e.g. when using a VPN to access non-internet facing bastions. In this case, the user should be able to specify the correct CIDR range that should be used and gardenctl should have a completion for the cidr flag that would add some convenience.

Out of scope:

• The IP could be automatically detected similar to the public ipify service. Instead, such a service would have to be setup within the internal network and gardenctl would call it to have it return its internal IPs.
• First create the bastion to get it's "public" endpoint from the status. Then figure out which network interface is used by using something like ip route get <bastion-endpoint>. Afterwards alter the bastion resource to specify the IP that was returned. See also https://engineering.qubecinema.com/2019/05/13/go-routing-package.html which is using github.com/google/gopacket, however not all architectures are supported.