feat: Add annotation to provision non-sensitive data only

[Techassi]

Implements stackabletech/issues#547, based on decision in https://github.com/stackabletech/decisions/issues/78.

This PR introduces a new annotation for secret volumes, called secrets.stackable.tech/provision-parts which allows users to only request public/non-sensitive data instead of the complete secret material like currently. For backwards compatibility, this defaults to false (potentially different value based on decision).

The following use-cases are now supported:

• Use the autoTls backend, but only provision the ca.crt/truststore.p12 for the consumer.
• Use the kerberosKeytab backend, but only provision the krb5.conf for the consumer
• Use the k8sSearch backend to select Secrets which contain non-sensitive data only and support parsing the partial set of files. Explicitly requesting a format currently fails due to stricter parsing. This strict parsing is disabled when secrets.stackable.tech/provision-parts is used

The following example details the last use-case mentioned above:

apiVersion: v1
kind: Pod
metadata:
  name: example-just-ca-consumer
spec:
  securityContext:
    fsGroup: 1000
  volumes:
    - name: just-ca
      ephemeral:
        volumeClaimTemplate:
          metadata:
            annotations:
              secrets.stackable.tech/class: just-ca
              # The currently unsupported feature is triggered by explicitly requesting a format
              # and bringing your own ca.crt
              secrets.stackable.tech/format: tls-pkcs12
              # 👇 See here
              secrets.stackable.tech/provision-parts: "public"
              # ☝️
          spec:
            storageClassName: secrets.stackable.tech
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: "1"
  containers:
    - name: test
      image: oci.stackable.tech/sdp/testing-tools:0.3.0-stackable0.0.0-dev
      stdin: true
      tty: true
      volumeMounts:
        - name: just-ca
          mountPath: /stackable/tls
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
  name: just-ca
spec:
  backend:
   k8sSearch:
      searchNamespace:
        pod: {}
---
apiVersion: v1
kind: Secret
metadata:
  name: just-ca-secret
  labels:
    secrets.stackable.tech/class: just-ca
stringData:
  ca.crt: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

(Note: The CA was generated by the default tls SecretClass)

[Techassi]

This should basically be ready to go, but is currently blocked on https://github.com/stackabletech/decisions/issues/78.

[Techassi]

A decision was reached and this PR is now unblocked again.

[NickLarsenNZ]

Left a few comments

[NickLarsenNZ]

LGTM

[sbernauer]

LGTM, but didn't look at the Rust code as @NickLarsenNZ already approved previously

[sbernauer]

LGTM, but didn't look at the Rust code as @NickLarsenNZ already approved previously