add VaultTokenSecret CRD

[moo-im-a-cow]

#194

new CRD that generates vault tokens and stores them in k8s secrets.
This does not give you the k8s service account's token, it uses the service account to generate a new token.
the service account requires permission in vault to call the auth/token/create/ endpoint (and that permission should obviously be locked down to specific roles or fields using appropriate policies)

this is hardcoded to only generate non renewable tokens
but same as the dynamic secrets crd, it generates a new one at 67% (configurable) of the old one's lifetime,
so as long as you are using the up to date token from the secret, you'll always have a valid token.

the latest token accessor is stored in the VaultTokenSecret object, and is revoked if the object is deleted.
(currently it doesnt store or revoke the old accessor, if you delete the object after a new token has been generated, the old one still has 33% of it's lifetime left and is valid to log in with)

you can set most fields for generating a token: policies, meta, no_default_policy, ttl, display_name, entity_alias.
most others could be set using the role, apart from renewable, that is hardcoded to false for security,
your app doesnt need to renew this token, it just gets a new one from the secret.

I dont really understand the code, but I pieced it together from parts of the static secret controller and dynamic secret controller, I know it works, but this probably needs to be rewritten by someone who actually understands it

[hashicorp-cla-app]

All committers have signed the CLA.

[moo-im-a-cow]

I am unsure what the error in the Jira Sync / sync / Jira sync (pull_request_target) review is, is this an issue with my code or with the review step?