Add excludeSecretsRegex field to filter secrets during sync

[tgigli]

Summary

• Add excludeSecretsRegex field to DopplerSecretSpec
• Implement regex filtering in GetKubeSecretData function
• Add validation and error handling for invalid regex patterns
• Update CRDs with the new optional field
• Add example configuration for regex exclusion

Description

This PR adds the ability to exclude secrets from being synced based on a regex pattern. The new excludeSecretsRegex field allows users to specify a regular expression that will filter out secrets matching the pattern before they are stored in the managed Kubernetes secret.

Features Added

• Optional regex filtering: New excludeSecretsRegex field in DopplerSecret spec
• Validation: Invalid regex patterns are caught and reported with clear error messages
• Backward compatibility: Field is optional, existing DopplerSecrets continue to work unchanged
• Example configuration: Added sample YAML showing how to use the new field

Testing

• ✅ Tested with real Doppler project (cryptonets/dev_falcon)
• ✅ Verified filtering works correctly (excluded 3 ARGOCD_* secrets)
• ✅ Verified backward compatibility (no filter = all secrets synced)
• ✅ Tested invalid regex patterns return appropriate errors

Example Usage

apiVersion: secrets.doppler.com/v1alpha1
kind: DopplerSecret
metadata:
  name: filtered-secret
spec:
  tokenSecret:
    name: doppler-token-secret
  managedSecret:
    name: my-secret
    namespace: default
  # Exclude secrets starting with TEMP_ or containing _DEBUG
  excludeSecretsRegex: "^TEMP_.*|.*_DEBUG.*"

Test plan

• Build and test locally
• Verify CRDs are generated correctly
• Test with real Doppler secrets
• Verify regex validation works
• Test backward compatibility

[watsonian]

@tgigli Thanks for the effort here! As per my post on your issue, we'd like to see a different approach outlined there. I'm opening up an internal issue to track this and we'll see what we can get done to add support for this in a more generic way!