support using secret names instead of UUID

[maxkpower]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/SM-1768

📔 Objective

Adds an optional useSecretNames field to the BitwardenSecret CRD that allows using secret names from Bitwarden Secrets Manager as Kubernetes secret keys instead of UUIDs.

Changes

1. Added useSecretNames boolean field (default: false) to BitwardenSecretSpec
2. Implemented POSIX validation for secret names (must start with letter/underscore, contain only alphanumeric/underscore)
3. Added duplicate name detection with detailed error messages
4. Updated controller logic to support both UUID mode (default) and name-based mode
5. Added comprehensive test coverage for validation and both modes
6. Updated documentation with examples and usage guidance

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – ef03c07b-54be-4eb4-ad7d-1c4dd65a71a0

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.94%. Comparing base (847976a) to head (b1d5431).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #121      +/-   ##
==========================================
+ Coverage   62.40%   63.94%   +1.53%     
==========================================
  Files          11       11              
  Lines         963     1004      +41     
==========================================
+ Hits          601      642      +41     
  Misses        343      343              
  Partials       19       19              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[mimartin12]

❓ What validation is this referring to, I see the POSIX validation here, https://github.com/bitwarden/sm-kubernetes/pull/121/files#diff-66a708935ecfb1c2ce30bb5554633406245e96c20bc00bd85e0c8ccbaa0068deR348-R355, but that won't prevent secret sync (just logs), as this description is saying.

[tangowithfoxtrot]

Now that we've settled on merely warning for non-POSIX secret names, rather than failing, we should update this doc string, as well as the others that @mimartin12 pointed out. Maybe something like:

Suggested change

	# Optional: Use secret names from Bitwarden as Kubernetes secret keys
	# When enabled, secret names must be POSIX-compliant and unique
	# Default: false (uses UUIDs as keys for backward compatibility)
	# Optional: Use secret names from Bitwarden as Kubernetes secret keys
	# When enabled, secret names must be unique. Secret names that are not
	# POSIX-compliant will trigger a warning, but will be set on a best-effort
	# basis.
	# Default: false (uses UUIDs as keys for backward compatibility)

[tangowithfoxtrot]

Suggested change

	// POSIX-compliant names are required for environment variable compatibility:
	// POSIX-compliant names are recommended for maximum compatibility:

[tangowithfoxtrot]

Suggested change

	// New mode: Use secret names with validation and duplicate detection
	// Use secret names with validation and duplicate detection

[tangowithfoxtrot]

Suggested change

	// Legacy mode: Use UUIDs as keys
	// Use UUIDs as keys

[tangowithfoxtrot]

Could we make a new test for the useSecretName functionality and add that, rather than replacing this one?

[tangowithfoxtrot]

Question: should these tests be adjusted now that we've decided to simply warn for non-compliant secret names? Do they still pass?