Determine credential type from label

[rainest]

What this PR does / why we need it:

Adds a label alternative to the kongCredType Secret field. Setting konghq.com/credential: CREDTYPE is now equivalent to setting a kongCredType=CREDTYPE Secret field.

Which issue this PR fixes:

Fix #2502

Special notes for your reviewer:

#2502 (comment) contains a migration script that will eventually go in docs. There isn't a clear place in 3.x docs to stick an upgrade section, so #4854 to follow up. As a stopgap, the changelog links to the comment.

Adds new system, does not remove old system. Not sure we want to single release breaking change this; I think we can do the final removal after 3.0 unless we want to bundle as many breaking changes at once, even if they're larger ones that didn't previously have a deprecation period: #4853

PR Readiness Checklist:

Complete these before marking the PR as ready to review:

• the CHANGELOG.md release notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR

[codecov]

Codecov Report

Attention: 2 lines in your changes are missing coverage. Please review.

Comparison is base (2089f87) 77.7% compared to head (68533b3) 77.9%.
Report is 7 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##            main   #4825     +/-   ##
=======================================
+ Coverage   77.7%   77.9%   +0.2%     
=======================================
  Files        164     165      +1     
  Lines      18399   18455     +56     
=======================================
+ Hits       14298   14389     +91     
+ Misses      3281    3256     -25     
+ Partials     820     810     -10     

Files	Coverage Δ
...ion/validation/consumers/credentials/validation.go	96.2% <100.0%> (+6.8%)	⬆️
internal/dataplane/parser/parser.go	92.6% <100.0%> (+2.6%)	⬆️
internal/util/credential.go	100.0% <100.0%> (ø)
internal/admission/handler.go	61.2% <0.0%> (ø)
internal/dataplane/kongstate/kongstate.go	83.0% <92.3%> (+2.8%)	⬆️

... and 13 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[rainest]

Observed a flake in https:/Kong/kubernetes-ingress-controller/actions/runs/6511654773/attempts/1?pr=4825 but Github isn't showing any artifacts in the summary 😢

2023-10-13T18:32:19.8431950Z     translation_failures_test.go:287: received event's message (failed to fetch the secret (f5538e3a-6211-440e-bcbd-3650432100a6/translation-failures-d45b20b5-31e4-40fa-8fd2-e48520d3d0b2)) does not contain the expected reason: 'failed to construct certificate from secret'
2023-10-13T18:32:19.8456195Z     translation_failures_test.go:306: waiting for events, received so far:
2023-10-13T18:32:19.8458524Z         * Ingress/translation-failures-c86b6152-5e04-4aed-bdbe-bda6254336fc: "failed to fetch the secret (f5538e3a-6211-440e-bcbd-3650432100a6/translation-failures-d45b20b5-31e4-40fa-8fd2-e48520d3d0b2)"
2023-10-13T18:32:19.8460802Z         * Ingress/translation-failures-c86b6152-5e04-4aed-bdbe-bda6254336fc: "failed to construct certificate from secret"
2023-10-13T18:32:19.8462572Z         * Secret/translation-failures-d45b20b5-31e4-40fa-8fd2-e48520d3d0b2: "failed to construct certificate from secret"
2023-10-13T18:32:20.8435119Z     translation_failures_test.go:287: received event's message (failed to fetch the secret (f5538e3a-6211-440e-bcbd-3650432100a6/translation-failures-d45b20b5-31e4-40fa-8fd2-e48520d3d0b2)) does not contain the expected reason: 'failed to construct certificate from secret'
2023-10-13T18:32:20.8456966Z     translation_failures_test.go:306: waiting for events, received so far:
2023-10-13T18:32:20.8459510Z         * Ingress/translation-failures-c86b6152-5e04-4aed-bdbe-bda6254336fc: "failed to fetch the secret (f5538e3a-6211-440e-bcbd-3650432100a6/translation-failures-d45b20b5-31e4-40fa-8fd2-e48520d3d0b2)"
2023-10-13T18:32:20.8461884Z         * Ingress/translation-failures-c86b6152-5e04-4aed-bdbe-bda6254336fc: "failed to construct certificate from secret"
2023-10-13T18:32:20.8463723Z         * Secret/translation-failures-d45b20b5-31e4-40fa-8fd2-e48520d3d0b2: "failed to construct certificate from secret"
2023-10-13T18:32:21.8396897Z     translation_failures_test.go:261: 
2023-10-13T18:32:21.8398816Z         	Error Trace:	/home/runner/work/kubernetes-ingress-controller/kubernetes-ingress-controller/test/integration/translation_failures_test.go:261
2023-10-13T18:32:21.8400316Z         	Error:      	Condition never satisfied
2023-10-13T18:32:21.8401419Z         	Test:       	TestTranslationFailures/ingress_referring_a_secret_with_no_valid_TLS_key-pair

[pmalek]

Observed a flake in https:/Kong/kubernetes-ingress-controller/actions/runs/6511654773/attempts/1?pr=4825 but Github isn't showing any artifacts in the summary 😢

2023-10-13T18:32:19.8431950Z     translation_failures_test.go:287: received event's message (failed to fetch the secret (f5538e3a-6211-440e-bcbd-3650432100a6/translation-failures-d45b20b5-31e4-40fa-8fd2-e48520d3d0b2)) does not contain the expected reason: 'failed to construct certificate from secret'
2023-10-13T18:32:19.8456195Z     translation_failures_test.go:306: waiting for events, received so far:
2023-10-13T18:32:19.8458524Z         * Ingress/translation-failures-c86b6152-5e04-4aed-bdbe-bda6254336fc: "failed to fetch the secret (f5538e3a-6211-440e-bcbd-3650432100a6/translation-failures-d45b20b5-31e4-40fa-8fd2-e48520d3d0b2)"
2023-10-13T18:32:19.8460802Z         * Ingress/translation-failures-c86b6152-5e04-4aed-bdbe-bda6254336fc: "failed to construct certificate from secret"
2023-10-13T18:32:19.8462572Z         * Secret/translation-failures-d45b20b5-31e4-40fa-8fd2-e48520d3d0b2: "failed to construct certificate from secret"
2023-10-13T18:32:20.8435119Z     translation_failures_test.go:287: received event's message (failed to fetch the secret (f5538e3a-6211-440e-bcbd-3650432100a6/translation-failures-d45b20b5-31e4-40fa-8fd2-e48520d3d0b2)) does not contain the expected reason: 'failed to construct certificate from secret'
2023-10-13T18:32:20.8456966Z     translation_failures_test.go:306: waiting for events, received so far:
2023-10-13T18:32:20.8459510Z         * Ingress/translation-failures-c86b6152-5e04-4aed-bdbe-bda6254336fc: "failed to fetch the secret (f5538e3a-6211-440e-bcbd-3650432100a6/translation-failures-d45b20b5-31e4-40fa-8fd2-e48520d3d0b2)"
2023-10-13T18:32:20.8461884Z         * Ingress/translation-failures-c86b6152-5e04-4aed-bdbe-bda6254336fc: "failed to construct certificate from secret"
2023-10-13T18:32:20.8463723Z         * Secret/translation-failures-d45b20b5-31e4-40fa-8fd2-e48520d3d0b2: "failed to construct certificate from secret"
2023-10-13T18:32:21.8396897Z     translation_failures_test.go:261: 
2023-10-13T18:32:21.8398816Z         	Error Trace:	/home/runner/work/kubernetes-ingress-controller/kubernetes-ingress-controller/test/integration/translation_failures_test.go:261
2023-10-13T18:32:21.8400316Z         	Error:      	Condition never satisfied
2023-10-13T18:32:21.8401419Z         	Test:       	TestTranslationFailures/ingress_referring_a_secret_with_no_valid_TLS_key-pair

Should be fixed by #4871

[pmalek]

I suggest we track changing this changelog entry to reference a proper docs link (or an equivalent) rather than a github issue link

[pmalek]

I'd assume we need to add validation to webhook to check secrets with the introduced label? (so that eventually we'd only check those instead of inspecting fields?)

[czeslavo]

I'd assume we need to add validation to webhook to check secrets with the introduced label? (so that eventually we'd only check those instead of inspecting fields?)

Yeah, that should do the job: #4896