feat: Add annotation to provision public secret data only

[Techassi]

Implements stackabletech/issues#547, based on decision in https://github.com/stackabletech/decisions/issues/78.

This PR introduces a new annotation for secret volumes, called secrets.stackable.tech/tbd which allows users to only request public/non-sensitive data instead of the complete secret material like currently. For backwards compatibility, this defaults to false (potentially different value based on decision).

Current usage (might change):

apiVersion: v1
kind: Pod
metadata:
  name: example-secret-consumer
spec:
  volumes:
    - name: tls
      ephemeral:
        volumeClaimTemplate:
          metadata:
            annotations:
              secrets.stackable.tech/class: tls
              secrets.stackable.tech/scope: node,pod
              # 👇 See here, an actual boolean can not be used here, because of K8s restrictions
              secrets.stackable.tech/tbd: "true"
              # ☝️
          spec:
            storageClassName: secrets.stackable.tech
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: "1"

(Note: This uses the default tls SecretClass)

With new annotaion

-rw-rw---- 1 root      stackable 1.2K Feb  6 14:25 ca.crt

Without the new annotation

-rw-rw---- 1 root      stackable 1.2K Feb  6 14:08 ca.crt
-rw-rw---- 1 root      stackable 1.4K Feb  6 14:08 tls.crt
-rw-rw---- 1 root      stackable 1.7K Feb  6 14:08 tls.key

[Techassi]

Instead of doing this dance here, we could change the type alias SecretFiles to a HashMap<String, (Vec<u8>, bool)> instead. The bool indicates which material is considered sensitive. Based on this, we could filter out these files when creating them in SecretProvisionerNode::save_secret_data.