add support for setting "command" on templates

[joemiller]

Use case: Need to run a command (eg: send SIGHUP) when secrets are updated.

A useful example is nginx and fetching mTLS certs from Vault. After the cert is updated we need to send a SIGHUP to trigger nginx to reload the certs.

It looks like this is currently possible using the configmap escape hatch but this is a common enough case for us that having to use the configmap approach is significant friction.

Example of how this might look as annotations:

        vault.hashicorp.com/agent-inject-secret-tls.pem: "pki/issue/ou-nobody"
        vault.hashicorp.com/agent-inject-template-tls.pem: |
           {{- with secret "pki/issue/ou-nobody" "common_name=foo.example.com" "ttl=5m" }}
           {{ .Data.private_key }}
           {{ .Data.certificate }}
           {{ .Data.issuing_ca }}
           {{ end }}
        vault.hashicorp.com/agent-inject-command-tls.pem: "/bin/sh -c 'pkill -HUP nginx || true'"

  spec:
    # shared PID namespace so the vault-agent sidecar can send signals to nginx in the app container
    shareProcessNamespace: true