fix secret sync wait to require requested keys

[vmelikyan]

When a PR already has a Lifecycle-managed secret and a later commit adds a new secret reference in lifecycle.yaml, secret sync can complete too early.

The current sync check only verifies that the target Kubernetes Secret exists and has some data. For existing PRs, the Secret may already exist from a previous deploy with older keys, so the sync step treats it as ready before External Secrets Operator has reconciled the newly requested key. The build or runtime pod can then start without the new env var populated.

New PRs, or PRs that previously had no secrets, usually work because the target Secret does not exist yet, so the sync loop waits through 404 until ESO creates it.

Expected behavior

Secret sync should only complete after the target Kubernetes Secret contains every key requested by the current lifecycle.yaml change.

Fix

Track the expected env keys per generated Secret and update waitForSecretSync to poll until each requested key is present. Timeout errors should include the missing keys for debugging.

Validation

Add regression coverage for:

existing Secret with old keys missing a newly requested key
Secret appearing after 404
multi-key sync waiting for the last key
empty-but-present secret values not being treated as missing

[vigneshrajsb]

Looks good.

Secret sync was apparently doing security through obscurity by letting new keys play hide-and-seek with the pod. This fix makes the secret wait until all the requested env keys actually show up, which is a much better magician than the old implementation.