fix: per-gatherer excludeAnnotationKeysRegex now excludes resources from upload

[FelixPhipps]

Fixes a bug where annotation/label-based exclusion rules had no effect on which resources were uploaded to TLSPK.

Two issues were present:

1. The per-gatherer config fields excludeAnnotationKeysRegex and excludeLabelKeysRegex were ignored — ConfigDynamic didn't have those fields, so the YAML was discarded at parse time.
2. Even via the top-level exclude-annotation-keys-regex, matching resources were still uploaded. The existing logic only stripped the matching keys from resource metadata (a privacy feature) — it never dropped the resource itself.

Fix: Added excludeAnnotationKeysRegex and excludeLabelKeysRegex to ConfigDynamic so per-gatherer config is correctly parsed. Added excludeResources() called in Fetch() before redactList(), which drops any resource whose annotation or label keys match the configured patterns. Both the per-gatherer and top-level config formats now work as customers expect.

Automated testing added to PR.