Add DNS secret validation for AWS shoots

[wpross]

• Validate aws-dns provider secrets in shoot spec
• Refactor secret validation to use field.Path
• Refactor shoot validator to return all field errors
• Update tests accordingly

How to categorize this PR?

/area security
/kind enhancement
/platform aws

What this PR does / why we need it:
This PR adds input validation for DNS provider secrets for the aws-dns provider added in the shoots spec

...
  dns:
    domain: crazy-botany.core.my-custom-domain.com
    # Provider configuration required if custom shoot domain is configured.
    providers:
    - type: aws-dns
      secretName: my-custom-domain-secret
...

It complements PR1479

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Release note:

Add input validation for DNS provider secrets referenced in the shoot spec.

[wpross]

Created it as a draft since I haven't tested it yet.

[gardener-ci-robot]

The Gardener project currently lacks enough active contributors to adequately respond to all PRs.
This bot triages PRs according to the following rules:

• After 15d of inactivity, lifecycle/stale is applied
• After 15d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 7d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Mark this PR as rotten with /lifecycle rotten
• Close this PR with /close

/lifecycle stale

[wpross]

/remove-lifecycle stale

[gardener-robot]

@wpross Command /remove-lifecycle is not known.

[wpross]

/remove-lifecycle-stale

[gardener-robot]

@wpross Command /remove-lifecycle-stale is not known.

[AndreasBurger]

Some remarks, generally lgtm

[AndreasBurger]

Could also be moved to the initial declaration-block for consistency

[AndreasBurger]

Thats fine (great, even) if we don't expect to extend the kinds. If we do, I'd suggest to maintain a list of known kinds (somewhere around l.20) that can be the source of truth for known kinds. Higher likelihood of remembering to update that, in case of changes.

[AndreasBurger]

Also, there seems to be a field.NotSupported for these cases

[AndreasBurger]

I think this should also be field.Required

[AndreasBurger]

(possibly) field.Required

[github-actions]

This change enhances the AWS provider's secret validation system by implementing structured field-level validation with improved error handling and security measures. The update transitions from simple string-based error returns to a comprehensive field-based validation approach using Kubernetes' validation framework.

Walkthrough

• Refactor: Updated secret validation functions to use field.ErrorList instead of simple errors, providing structured field-path-based validation messages
• Refactor: Consolidated validation logic by removing code duplication across credentialsbinding, secretbinding, and secrets validators
• New Feature: Added DNS provider secret validation to shoot validation, supporting both standard and DNS-specific credential keys
• Refactor: Enhanced secret validation with stricter AWS credential format requirements (exact 20-character access keys, 40-character secret keys with proper character sets)
• Refactor: Implemented sensitive value hiding in validation error messages to prevent credential exposure in logs
• Test: Updated test suites with comprehensive validation scenarios using realistic AWS credential formats and proper mock configurations

_{Model: claude-sonnet-4-20250514 | Prompt Tokens: 21173 | Completion Tokens: 226}

[gardener-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: AndreasBurger, wpross

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [AndreasBurger,wpross]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment