Allow providing cluster-wide age identity via controller env var

[mraerino]

SOPS has the handy feature of allowing to read the identity for decryption from SOPS_AGE_KEY. Because of the keyservice implementation detail of Flux you can't use that env var to set a cluster-wide identity on the controller.

This change implements that ability using the env var FLUX_SOPS_AGE_KEY. When you set that variable on the Kustomize Controller it will be used as an additional key in decryption and allows omitting the spec.decryption.secretRef property on the Flux Kustomization (it is marked as optional in the API).