server: add per-service annotations for main and internal services

[mbaldessari]

PR #896 added per-service annotation support for the HA active and standby services (server.service.active.annotations and server.service.standby.annotations), partially addressing issue #674. However, it left out two services that still only received the generic server.service.annotations:

• The main service (server-service.yaml): the primary client-facing service, rendered in every deployment mode (standalone, dev, and HA).
• The internal headless service (server-headless-service.yaml): the ClusterIP=None service used for pod DNS and Raft join operations.

Without per-service annotations on these two services, setting server.service.annotations applies to all four services. This makes it impossible to, for example, set different annotations on the main service versus the internal headless service which is the problem that was described in issue 674 and which I am hitting as well.

This commit adds:

• server.service.main.annotations: annotations applied only to the main service (server-service.yaml), merged after (and overriding) the generic server.service.annotations.
• server.service.internal.annotations: annotations applied only to the internal headless service (server-headless-service.yaml), with the same merge/override semantics.

"main" was chosen over "nonha" because this service is rendered in all deployment modes, not just non-HA.

Closes: #647

PCI review checklist

• I have documented a clear reason for, and description of, the change I am making.

• If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.

• If applicable, I've documented the impact of any changes to security controls.

  Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.