fix(webhook) exclude Helm Secrets

[rainest]

What this PR does / why we need it:

Hurray! We added Secret validation! Oh no! We added Secret validation!

Helm charts with webhooks that handle Secrets run into an issue that
prevents changes after an action that enables the webhook:
helm/helm#10023

Because Helm's Secret for release information is subject to the webhook,
Kubernetes will attempt to validate it, likely before the webhook
service comes online (because Helm just created the Pod that will
provide it). If the service is not online, validation fails, and Helm
cannot update its Secret to mark the release status, usually leaving it
stuck in a pending state that blocks future interactions.

This change excludes Helm Secrets from our validation, because we have
no need to validate them.

Special notes for your reviewer:

Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

• PR is based off the current tip of the next branch and targets next, not main
• Commits follow the Kong commit message guidelines

[mflendrich]

I'm wondering whether this commands any change to the deploy/kustomize manifests we have in the KIC repo, but I don't see an obvious reason that it would.

[rainest]

The risk of hitting this with plain manifests should be dramatically less: you'd need to intentionally deploy the manifest and then install or upgrade some unrelated Helm release immediately after.

The proper solution is that we require labels on credential Secrets so we can use a selector for them only and get rid of all unnecessary Secret checks, but that's a breaking change.