K8SPG-570 update custom secret with labels when they are missing, update missing secret data with autogeneration

[gkech]

CHANGE DESCRIPTION

Problem:
By default, the operator will overwrite the user secret if it is custom-created and create a new one with fresh credentials for the user. The only way to avoid this is to provide all the data fields of the secret, or, as pointed out here: https://perconadev.atlassian.net/browse/K8SPG-570?focusedCommentId=426612, provide some specific labels to the secret so that the operator can track it and utilize it to fill in the missing secret data fields.

Cause:
Short explanation of the root cause of the issue if applicable.

Solution:

Testing

cr:

  users:
    - name: rhino
      databases:
        - zoo
      options: "SUPERUSER"
      password:
        type: ASCII
      secretName: "rhino-credentials"
      grantPublicSchemaAccess: false
    - name: cat
      databases:
        - zoo1
      options: "SUPERUSER"
      password:
        type: ASCII
      secretName: "cat-credentials"
      grantPublicSchemaAccess: false    

Demo secret with only password defined created before applying the cat user cr:

apiVersion: v1
data:
  password: YWJjZDEyMzQ1Njc4OQ==
kind: Secret
metadata:
  name: cat-credentials
type: Opaque

Secret after applying the CR for the user:

apiVersion: v1
data:
  dbname: em9vMQ==
  host: Y2x1c3RlcjEtcHJpbWFyeS5rZWNoNS5zdmM=
  jdbc-uri: amRiYzpwb3N0Z3Jlc3FsOi8vY2x1c3RlcjEtcHJpbWFyeS5rZWNoNS5zdmM6NTQzMi96b28xP3Bhc3N3b3JkPWFiY2QxMjM0NTY3ODkmdXNlcj1jYXQ=
  password: YWJjZDEyMzQ1Njc4OQ==
  pgbouncer-host: Y2x1c3RlcjEtcGdib3VuY2VyLmtlY2g1LnN2Yw==
  pgbouncer-jdbc-uri: amRiYzpwb3N0Z3Jlc3FsOi8vY2x1c3RlcjEtcGdib3VuY2VyLmtlY2g1LnN2Yzo1NDMyL3pvbzE/cGFzc3dvcmQ9YWJjZDEyMzQ1Njc4OSZwcmVwYXJlVGhyZXNob2xkPTAmdXNlcj1jYXQ=
  pgbouncer-port: NTQzMg==
  pgbouncer-uri: cG9zdGdyZXNxbDovL2NhdDphYmNkMTIzNDU2Nzg5QGNsdXN0ZXIxLXBnYm91bmNlci5rZWNoNS5zdmM6NTQzMi96b28x
  port: NTQzMg==
  uri: cG9zdGdyZXNxbDovL2NhdDphYmNkMTIzNDU2Nzg5QGNsdXN0ZXIxLXByaW1hcnkua2VjaDUuc3ZjOjU0MzIvem9vMQ==
  user: Y2F0
  verifier: U0NSQU0tU0hBLTI1NiQ0MDk2OkJwUnVjaXpGbHEyTzN0ZEdOY1Z0L2c9PSRhNjNROW9OR0lpT3c5UEZTZnR6Wmh3OUMxWWVmbVFIVXFuYUVFYlBxWTZ3PTpRaHdneXFFcWRhWEUva0R0QWNaNUJOTEErMHBEZFNZeGhkWWdMbTY4ZDlVPQ==
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"password":"YWJjZDEyMzQ1Njc4OQ=="},"kind":"Secret","metadata":{"annotations":{},"name":"cat-credentials","namespace":"kech5"},"type":"Opaque"}
  creationTimestamp: "2025-07-10T09:33:21Z"
  labels:
    app.kubernetes.io/instance: cluster1
    app.kubernetes.io/managed-by: percona-postgresql-operator
    app.kubernetes.io/name: percona-postgresql
    app.kubernetes.io/part-of: percona-postgresql
    postgres-operator.crunchydata.com/cluster: cluster1
    postgres-operator.crunchydata.com/pguser: cat
    postgres-operator.crunchydata.com/role: pguser
  name: cat-credentials
  namespace: kech5
  resourceVersion: "1752140058349791006"
  uid: 3b4f4e2b-b5d3-4a5c-b8a3-424f4e42468a
type: Opaque

Notice that all the related properties were automatically added to the secret, keeping the original password that was specified by the secret that was created manually.

Note that the aforementioned scenario is also added on the e2e test.

CHECKLIST

Jira

• Is the Jira ticket created and referenced properly?
• Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
• Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

• Is an E2E test/test case added for the new feature/change?
• Are unit tests added where appropriate?

Config/Logging/Testability

• Are all needed new/changed options added to default YAML files?
• Are all needed new/changed options added to the Helm Chart?
• Did we add proper logging messages for operator actions?
• Did we ensure compatibility with the previous version or cluster upgrade process?
• Does the change support oldest and newest supported PG version?
• Does the change support oldest and newest supported Kubernetes version?

[JNKPercona]

Test Name	Result	Time
backup-enable-disable	passed	00:00:00
custom-extensions	failure	00:00:00
custom-tls	passed	00:00:00
demand-backup	failure	00:27:47
finalizers	passed	00:00:00
init-deploy	passed	00:00:00
monitoring	passed	00:00:00
monitoring-pmm3	passed	00:00:00
one-pod	passed	00:00:00
operator-self-healing	passed	00:00:00
pgvector-extension	passed	00:00:00
pitr	passed	00:12:34
scaling	passed	00:00:00
scheduled-backup	passed	00:28:09
self-healing	passed	00:00:00
sidecars	passed	00:00:00
start-from-backup	passed	00:00:00
tablespaces	passed	00:00:00
telemetry-transfer	passed	00:00:00
upgrade-consistency	passed	00:00:00
upgrade-minor	passed	00:00:00
users	passed	00:00:00
We run 22 out of 22		01:08:32

commit: 8914e70
image: perconalab/percona-postgresql-operator:PR-1218-8914e70f9