Transmit masked variables to container entry via a secret

What does this MR do?

It sets up kubernetes secrets to contain masked ci job variables, and configured pod containers to include the content of those k8s secrets in their configuration. Masked file-type variables each get their on k8s secret, and other masked variables are added to one or more k8s secrets, depending on space requirements.

Why was this MR needed?

Some customers run code that depends on CI job secrets being present in their container configuration, but we have not been setting that up due to concerns that secrets might be visible through kubectl describe or similar.

What's the best way to test this MR?

Here's how I've tested it: I created a container image whose entrypoint printed its environment, then used this image with the gitlab-runner kubernetes executor. While sending jobs to this runner, I used kubectl get secrets to show the secrets that were created, and I used kubectl logs to examine the environment of the container entrypoint process.

What are the relevant issue numbers?

fixes #37226 (closed) #30999 (closed) #28866 (closed) #27971 (closed) #26989 (closed)