[operator] Make TLS secret Helm hooks optional

[jvoravong]

Description:
Currently, Helm always uses pre-install and pre-upgrade hooks to deploy user-supplied or Helm-generated certificates (reference). However, this is not always desirable. I propose making these hooks optional via values.yaml overrides, leveraging the existing admissionWebhooks.secretAnnotations value field. Created a PR implements with this change and includes an UPGRADING.md entry.

Why:

• Helm hooks are not universally supported across all Kubernetes deployment methods, such as the
  AWS EKS add-on method.
• The "helm.sh/hook-delete-policy": "before-hook-creation"annotation can prevent the TLS secret from
  being deleted when uninstalling the chart or migrating to cert-manager, potentially causing deployment
  errors such as "secret already exists and is managed by another chart."

Impact:
This change introduces optional Helm hooks while keeping them enabled by default, ensuring backwards compatibility for most users. However, there is a breaking change for users who have already customized admissionWebhooks.secretAnnotations.

• New default values in values.yaml:

  admissionWebhooks:
    secretAnnotations:
      "helm.sh/hook": "pre-install,pre-upgrade"
      "helm.sh/hook-delete-policy": "before-hook-creation"

• Breaking change:
  If you previously set custom annotations, you must now merge them with the new default to maintain prior behavior:

  admissionWebhooks:
    secretAnnotations:
      "helm.sh/hook": "pre-install,pre-upgrade"
      "helm.sh/hook-delete-policy": "before-hook-creation"
      {your_custom_annotations}

• Why this matters:
  This ensures user-supplied TLS files are validated to exist and be accessible early (pre-install or pre-upgrade), reducing the risk of errors in the Helm install phase.

[jvoravong]

Please assign to me when possible.