Enforce exceptions in GitOps

[sgress454]

Related user story

#40171

Task

Enforce the new exceptions config when running GitOps:

• If an entity (software, secrets or labels) has exceptions turned on, treat a missing key for that entity (software:, secrets: or labels:) as a no-op
• If an entity has exceptions turned on, and the key for that entity is provided, fail the gitops run with an error (possibly only in GitOps mode, tbd)
• If an entity had exceptions tuned off, treat a missing key as "remove all config for that entity"

Condition of satisfaction

After setting up an instance with labels and secrets in it:

• With all exceptions ON, running fleetctl gitops with a file that has labels: in it should produce an error
• With all exceptions ON, running fleetctl gitops with a file that has secrets: in it should produce an error
• With all exceptions ON, running fleetctl gitops with a file that has software: in it should produce an error
• With all exceptions ON, running fleetctl gitops with a file that has no software:, labels: or secrets: keys should result in no changes to the software, labels or secrets on the server
• With all exceptions OFF, running fleetctl gitops with a file that has no software:, labels: or secrets: keys should result in all software, secrets and labels being removed.