release-22.1: pkg/keys: implement SafeFormatter for roachpb.Key

[abarganier]

Backport 1/1 commits from #86813.

/cc @cockroachdb/release

---

Currently, when a key is logged, the entirety of the pretty-printed
key is redacted, hindering observability when parsing through redacted
logs (something that will become more common with upcoming compliance
requirements).

For example, prior to this patch, a pretty-printed key would appear
in the following way for the unredacted/redacted cases, respectively:

- unredacted: ‹/Table/42/1222/"index key"›
- redacted:   ‹x›

This patch addresses this by implementing the SafeFormatter interface
for roachpb.Key and roachpb.RKey, yielding the following result
when looking at the same example above:

- unredacted: /Table/42/1222/‹"index key"›
- redacted:   /Table/42/1222/‹x›

While the index key itself remains redacted, the ability to see the
specific table, index, and in the case of tenant tables, the tenant
itself, provides much better observability into which table & index
a log line is referring to than before.

Note that this implementation is only partial. It currently only
supports keys that fall in the /Table keyspace for application
tenants and system tenants. Keyspaces such as Meta1, Meta2, Local,
etc. are not yet supported, but can be added with much more ease
in the future now that the example has been set.

Finally, we remove the maxLen and related truncation logic from
StringWithDirs, as this is no longer used. Furthermore, the
truncation was invalid as it could have truncated a utf-8
sequence in the wrong place, making the result invalid utf-8.

This PR is a continuation of the work originally done by @kzh in
#67065. See the original PR for some initial discussions.

Release note (security update): redacted logs will now reveal
pretty-printed keys, except for the index key values themselves.
For example /Table/42/1222/‹x› will be shown instead of ‹x›
(which was shown previously). This improved redaction is available
for the /Table keyspace for both system and application tenants.
Other keyspaces such as /Meta1, /Meta2, /Local, etc. are not
yet supported.

Release justification: low risk, high benefit observability changes

Addresses #86316

[blathers-crl]

Thanks for opening a backport.

Please check the backport criteria before merging:

• Patches should only be created for serious issues or test-only changes.
• Patches should not break backwards-compatibility.
• Patches should change as little code as possible.
• Patches should not change on-disk formats or node communication protocols.
• Patches should not add new functionality.
• Patches must not add, edit, or otherwise modify cluster versions; or add version gates.

If some of the basic criteria cannot be satisfied, ensure that the exceptional criteria are satisfied within.

• There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
• The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
• New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters.
• The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.

Add a brief release justification to the body of your PR to justify this backport.

Some other things to consider:

• What did we do to ensure that a user that doesn’t know & care about this backport, has no idea that it happened?
• Will this work in a cluster of mixed patch versions? Did we test that?
• If a user upgrades a patch version, uses this feature, and then downgrades, what happens?

[cockroach-teamcity]

This change is 

[andreimatei]

Approved, but do we really need this for 22.1?

[abarganier]

You're right - not needed for 22.1. I misunderstood the compliance requirements here - we only need this for 22.2+.

Closing. TFTR regardless :)