feat(k8s): make app-tier object storage configurable via storage.s3

[aicam]

Task Summary

Route the Texera application services' object-storage access through a configurable storage.s3 values block, instead of hardcoding the in-cluster MinIO Service and Secret. This is the app-tier slice of making object storage pluggable (parent feature #5891); LakeFS/Lakekeeper storage and the minio.enabled off-switch follow as a separate step.

Scope (this task):

• Add a storage.s3 block to values.yaml (endpoint, region, existingSecret, accessKeyId, secretAccessKey).
• Add chart helpers that resolve the S3 endpoint and credentials Secret, defaulting to the in-cluster MinIO when storage.s3.endpoint is empty.
• Add a gated s3-credentials-secret.yaml (rendered only for an external endpoint without a pre-existing Secret).
• Wire file-service and workflow-computing-unit-manager to the helpers.

Non-goals (deferred to the next step):

• LakeFS blockstore + Lakekeeper warehouse external-S3 wiring.
• minio.enabled toggle to drop the in-cluster MinIO entirely.
• values-aws.yaml example overlay.

Task Type

• Refactoring / enabler (no behavior change by default)
• Bug fix
• Documentation

The default (on-prem / in-cluster MinIO) install renders an identical set of resources; the external-S3 path is opt-in via storage.s3.endpoint.

Part of #5891. Follows #5757 (template reorg) and #5641 (design discussion).