avoid Kyverno policy on all Secrets

I had this error on a deployment on which Kyverno pods had issues:

📜 Update sylva-units Helm release and associated resources
Warning: resource namespaces/sylva-system is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
configmap/sylva-units-values configured
helmrelease.helm.toolkit.fluxcd.io/sylva-units unchanged
gitrepository.source.toolkit.fluxcd.io/sylva-core configured
Error from server (InternalError): error when applying patch:
{"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Namespace\",\"metadata\":{\"annotations\":{},\"labels\":{\"copy-from-bootstrap-to-management\":\"\"},\"name\":\"sylva-system\"}}\n"},"labels":{"copy-from-bootstrap-to-management":""}}}
to:
Resource: "/v1, Resource=namespaces", GroupVersionKind: "/v1, Kind=Namespace"
Name: "sylva-system", Namespace: ""
for: "STDIN": error when patching "STDIN": Internal error occurred: failed calling webhook "validate.kyverno.svc-fail": failed to call webhook: Post "https://kyverno-svc.kyverno.svc:443/validate/fail?timeout=10s": context deadline exceeded
Error from server (InternalError): error when applying patch:
{"data":{"secrets":"..."}}
to:
Resource: "/v1, Resource=secrets", GroupVersionKind: "/v1, Kind=Secret"
Name: "sylva-units-secrets", Namespace: "sylva-system"
for: "STDIN": error when patching "STDIN": Internal error occurred: failed calling webhook "mutate.kyverno.svc-fail": failed to call webhook: Post "https://kyverno-svc.kyverno.svc:443/mutate/fail?timeout=10s": context deadline exceeded

I think we should avoid having the patch-bond-policy webhook match any Secret*, using spec.rules[].celPreconditions to restrict to which Secrets the condition applies.

/cc @feleouet