refactor: change generic secret label

[krancour]

@jessesuen @gdsoumya this PR changes the label used to indicate a Secret is a generic one as discussed offline.

New Secrets get created with the new label.

To not break backwards compatibility with v1.2.0, updates will swap the legacy label for the new one and list operations will list all Secrets labeled with one or both.

There is a small breaking change, which will be documented in the release notes:

Expressions now have access only to appropriately labeled Secrets. That should have been included in #2975, but was accidentally overlooked.

[netlify]

✅ Deploy Preview for docs-kargo-io ready!

Name	Link
🔨 Latest commit	511864c
🔍 Latest deploy log	https://app.netlify.com/sites/docs-kargo-io/deploys/6791611c3998c50008ed7eef
😎 Deploy Preview	https://deploy-preview-3331.docs.kargo.io
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[codecov]

Codecov Report

Attention: Patch coverage is 83.87097% with 10 lines in your changes missing coverage. Please review.

Project coverage is 52.53%. Comparing base (24f71a5) to head (511864c).
Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/api/delete_project_secret_v1alpha1.go	25.00%	2 Missing and 1 partial ⚠️
internal/api/list_project_secrets_v1alpha1.go	86.36%	2 Missing and 1 partial ⚠️
internal/directives/simple_engine_promote.go	89.28%	2 Missing and 1 partial ⚠️
internal/api/update_project_secret_v1alpha1.go	85.71%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3331      +/-   ##
==========================================
+ Coverage   52.05%   52.53%   +0.48%     
==========================================
  Files         295      291       -4     
  Lines       26695    26586     -109     
==========================================
+ Hits        13895    13968      +73     
+ Misses      12041    11855     -186     
- Partials      759      763       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jessesuen]

As part of this, let's also get rid of kargo.akuity.io/analysis-run-template label, which was never used/documented/etc...

[krancour]

As part of this, let's also get rid of kargo.akuity.io/analysis-run-template label, which was never used/documented/etc...

@jessesuen there are spots in the code where we list only Secrets or ConfigMaps that have that label. When building an AnalysisRun we also refuse references to any ConfigMap or Secret not labeled in that way.

Can you clarify for me how you want those behaviors to change? Are we simply eliminating those constraints? Or, more likely, are we eliminating that constraint for ConfigMaps and for Secrets, we will require the new generic cred label instead?

[jessesuen]

there are spots in the code where we list only Secrets or ConfigMaps that have that label

It must not be enforced with the Job metric. In other words, I can currently create a job that references a secret to be used as an env var, and it currently works. So the label is not really fulfilling it's purpose, if that was the intent.

[krancour]

When building an AnalysisRun we also refuse references to any ConfigMap or Secret not labeled in that way.

It must not be enforced with the Job metric. In other words, I can currently create a job that references a secret to be used as an env var, and it currently works. So the label is not really fulfilling it's purpose, if that was the intent.

My apologies. I was a bit hasty in my analysis of where this was used and I mis-identified a chunk of code that referenced that label.

This is used exclusively by API endpoints that don't appear ever to have been used.

So that label can go away easily.

[akuitybot]

Successfully created backport PR for release-1.2:

• chore(backport release-1.2): refactor: change generic secret label #3350