Wire POD_TOKEN_SIGNING_SECRET into jobs-manager + requests-proxy (stateless tokens, client-runtime#79)

[saadqbal]

Chart side of client-runtime#79 (stateless signed pod-proxy tokens, PR client-runtime#89).

Changes

• secrets.yaml: add POD_TOKEN_SIGNING_SECRET to the Opaque secret. Stable across upgrades via lookup (explicit value > existing stored value > generated), so tokens minted before an upgrade still verify after.
• jobs-manager-deployment.yaml: inject POD_TOKEN_SIGNING_SECRET (secretKeyRef) + POD_TOKEN_TTL_SECONDS (value).
• requests-proxy-deployment.yaml: inject POD_TOKEN_SIGNING_SECRET (secretKeyRef) — verify side.
• values.yaml: podTokenSigningSecret: "" (auto-generate) + podTokenTtlSeconds: 604800.
• Chart version/appVersion 1.4.5 → 1.5.0.

Notes

• Secret is never injected into training pods.
• Auto-generates by default; operators can pin/rotate via podTokenSigningSecret.
• Set podTokenTtlSeconds to comfortably exceed max job duration.

Refs client-runtime#79, client-runtime#89, client-runtime#88.