feat: tsigkey implementation

[zachsmith1]

This pull request introduces and wires up support for the new DNSZoneTSIGKey resource, including controller logic, RBAC permissions, and end-to-end tests. The changes enable management of TSIG keys for DNS zones, supporting both user-provided and generated secrets, and ensure proper validation and reconciliation. Additionally, the PR includes minor improvements to configuration and test tooling.

Controller and Resource Integration:

• Added the DNSZoneTSIGKeyPowerDNSReconciler controller to the main manager, enabling reconciliation of DNSZoneTSIGKey resources for PowerDNS.
• Added the DNSZoneTSIGKeyReplicator controller to the multi-cluster manager, allowing replication of TSIG keys to downstream clusters.

RBAC and Permissions:

• Updated the main RBAC role to grant access to secrets, dnszonetsigkeys, their status and finalizers, ensuring controllers can manage these resources as needed.

Testing and Validation:

• Added a comprehensive test suite for the DNSZoneTSIGKeyPowerDNSReconciler covering scenarios for both user-provided and generated secrets, as well as validation failures.

Other Minor Improvements:

• Added a new status condition reason ReasonInvalidSecret for improved error reporting when secrets are invalid.
• Updated the sample CR to clarify secret reference usage.