feat: Add annotation to provision public secret data only

[Techassi]

Implements stackabletech/issues#547, based on decision in https://github.com/stackabletech/decisions/issues/78.

This PR introduces a new annotation for secret volumes, called secrets.stackable.tech/tbd which allows users to only request public/non-sensitive data instead of the complete secret material like currently. For backwards compatibility, this defaults to false (potentially different value based on decision).

The following use-cases are now supported:

• Use the autoTls backend, but only provision the ca.crt/truststore.p12 for the consumer.
• Use the kerberosKeytab backend, but only provision the krb5.conf for the consumer
• Use the k8sSearch backend to select Secrets which contain non-sensitive data only and support parsing the partial set of files. Explicitly requesting a format currently fails due to stricter parsing. This strict parsing is disabled when secrets.stackable.tech/tbd is used

The following example details the last use-case mentioned above:

apiVersion: v1
kind: Pod
metadata:
  name: example-just-ca-consumer
spec:
  securityContext:
    fsGroup: 1000
  volumes:
    - name: just-ca
      ephemeral:
        volumeClaimTemplate:
          metadata:
            annotations:
              secrets.stackable.tech/class: just-ca
              # The currently unsupported feature is triggered by explicitly requesting a format
              # and bringing your own ca.crt
              secrets.stackable.tech/format: tls-pkcs12
              # 👇 See here, an actual boolean can not be used here, because of K8s restrictions
              secrets.stackable.tech/tbd: "true"
              # ☝️
          spec:
            storageClassName: secrets.stackable.tech
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: "1"
  containers:
    - name: test
      image: oci.stackable.tech/sdp/testing-tools:0.3.0-stackable0.0.0-dev
      stdin: true
      tty: true
      volumeMounts:
        - name: just-ca
          mountPath: /stackable/tls
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
  name: just-ca
spec:
  backend:
   k8sSearch:
      searchNamespace:
        pod: {}
---
apiVersion: v1
kind: Secret
metadata:
  name: just-ca-secret
  labels:
    secrets.stackable.tech/class: just-ca
stringData:
  ca.crt: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

(Note: The CA was generated by the default tls SecretClass)

[Techassi]

This should basically be ready to go, but is currently blocked on https://github.com/stackabletech/decisions/issues/78.

[sbernauer]

Can you please document the new attribute in https://docs.stackable.tech/home/stable/secret-operator/volume/#_attributes?

[Techassi]

Yes, I will add the appropriate documentation once the exact name and value of this annotation has been decided.

[sbernauer]

Can you please also add a small kuttl test?
A simple Secret with only ca.crt and asserting that a pod with pkcs12 format comes up is totally sufficient to me.
I'm also happy to add one, in that case just ping me here

[Techassi]

Yes, sure thing. I will add an integration test asap.

[Techassi]

Added in 444c028.