feat(helm): support extra volumes/mounts; add external API key mount-path validation

[JoeDerby]

Why?

This PR adds first-class support for attaching custom extraVolumes and extraVolumeMounts to CloudZero workloads, while preserving safe API key configuration validation.

It enables external file-based credential flows (for example CSI-driven mounts) without introducing a new feature toggle, and keeps default chart behaviour intact for existing users.

What

Added new chart values:

• extraVolumes
• extraVolumeMounts

Wired those values into all relevant workloads:

• agent-deploy

• agent-daemonset

• aggregator-deploy

• config-loader-job

• webhook-deploy

• backfill-job

• Added reusable Helm helpers for extra volumes/mounts rendering.

• Updated docs in helm/README.md and value schema definitions.

• Strengthened schema validation:

  • Default mode: exactly one of apiKey or existingSecretName must be set.
  • External mode: if both are null, extraVolumes and extraVolumeMounts must be non-empty.

• Added render-time validation guard:

  • In external mode, at least one extraVolumeMount.mountPath must match serverConfig.containerSecretFilePath.
  • This prevents misconfiguration where credentials are mounted but not at the path the app reads.

• Added/updated Helm unit tests for:

  • Generic extra volume/mount behaviour (non-CSI-specific fixtures)
  • API key source validation logic
  • External mount-path validation guard

Users need to mount additional volumes (including but not limited to CSI-backed sources) across CloudZero components without changing default secret behaviour.
At the same time, we need to avoid silent credential misconfigurations. This PR balances flexibility with clear guardrails.

Backward Compatibility

• Existing apiKey / existingSecretName flows continue to work as before.
• No required changes for current users unless they choose external mode.
• External mode is now explicit and validated to fail fast when mount path configuration is incorrect.

How Tested

All Helm unit tests suite passed.
Deployed from Fork to test agent is working.

Scenarios explicitly verified:

• extraVolumes/extraVolumeMounts render across deployment, daemonset, and job templates.
• Default credential validation still enforces valid apiKey/existingSecretName combinations.
• External mode (apiKey: null, existingSecretName: null) requires non-empty extra volumes/mounts.
• External mode fails fast if no extraVolumeMount.mountPath matches serverConfig.containerSecretFilePath.
• External mode succeeds when mount path matches expected credential path.