Security: Add a mechanism for sending secrets that avoids embedding them in plain text configurations.

[nephyst]

Agents sometimes require secrets to be sent along with configurations. Currently the only mechanism that OpAMP provides is to include those secrets in plain text configurations.

The protocol should allow for sending secrets separate from configurations. The supervisor could then apply the secrets as env vars, which replace placeholders in the configurations. In a kubernetes environment the opamp-bridge/operator would be able to make use the kubernetes secrets configurations.

Example use cases:

• Using OpAMP to configure OTEL Collector pipelines that pull telemetry from one external API and forward it to another, where the APIs authenticate requests using API-Keys.
• Using OpAMP to configure pipelines that dynamically attach an API-Keys to telemetry based on some value in the payload.