Support decryption of externally managed partitions

[michaelbeaumont]

I have a LUKS-formatted partition, whose lifecycle Talos should not be responsible for, on one of my nodes that I basically just want Talos to run cryptsetup luksOpen on, using its existing KMS/passphrase/tpm support, so that I can use the resulting device mapper device. It should never provision this partition. It should never wipe this partition. It should just unlock it if it exists.

Background:

In #8367 I see:

• read-only user disks mounts (e.g. mounting my precious photo archive to the Talos machine, making sure that Talos never touches the contents)

and

provisioning (optional): if the volume is not available, Talos can provision the volume (e.g. create a partition), so that it can be looked up, and it becomes available

which would seem to be covered by this feature.

There's #10469 but it's not clear to me whether that includes partitions that Talos doesn't manage or if it's even covered by the existing UserVolumeConfig support