Do not try to decrypt "SopsSecret"s

[danhubern]

We use the sops-secrets-operator in our clusters for historical reasons but also want to use flux's sops decryption feature. However, that is currently not possible because the kustomize-controller tries to decrypt objects of kind SopsSecret and applies the invalid result to the cluster. I would expect the kustomize-controller to ignore objects it cannot decrypt.

I propose to add an option to ignore certain objects kinds for decryption. That allows both secret handling approaches to run in parallel.

A possible solution would be to change the isSOPSEncryptedResource case in DecryptResource to exclude objects with certain annotations or e.g. of kind SopsSecret. If you agree to the proposal or suggest an even better solution I will gladly implement it in a PR.

[stefanprodan]

I'm not for hardcoding a Kind, instead we could implement an annotation: kustomize.toolkit.fluxcd.io/decrypt (default Enabled) similar to what we have in https://fluxcd.io/flux/components/kustomize/kustomizations/#controlling-the-apply-behavior-of-resources