Extend token-vendor to aid with cleaning up stale robot registrations

[ensonic]

See #PR/318.

Right now when deleting a registered robot (by deleting the robot-cr), the associated pubkey is not deleted, leading to an accumulation of stale pubkey configmaps in the app-tokenvendor namespace.

Some ideas:

1. token vendor could watch robot-crs and also delete pubkeys when robots are deleted. I should not auto delete pubkey where we don't have a robot-cr in the cloud as we support a dev-setup, where the robot-cr is not synced to the cloud.
2. token-vendor could build an in-memory map of last seen timestamps and on a low rate (every 15 min), write those back to the pubkeys. Then one can script against this.
3. token-vendor could use a counter metric for the verify requests and label them with the robot-id. Not sure if this would cause too high cardinality.

We should also consider to label the pub-keys for easy filtering in the backup_robots.sh script.