Rename `imagePullSecret` field

[jvanz]

In a recent fix in the Kubewarden admission controller we change the controller to forward the secrets used to authenticate in private registries into the Policy Server deployments. During this process we noticed that the field imagePullSecret in the Policy Server CRD can me misleading. This field contains the secret name used to configure the policy server to authenticate into the registry where it downloads the policies. There is no relation with the secret used to pull the policy server container image itself.

In this issue we want to fix this potential confusion doing two main changes:

• Rename the field: rename the field to properly reflact its goal (e.g. policiesPullSecrets or sourceRegistriesAuth)
• Allow a list of secrets names: this follow the common Kubernetes community/documentation practice where each registry has it's own secret with authentication data

This is a breaking change. The migration process should be defined before any change in the CRDs. One option is to add a new field, deprecate the old one and add a code in the controller to migrate the values from the old field to the new one. After some time, remove the deprecated field and keep only the new one.

Acceptance criteria

• Rename field in the Policy Server CRD
• Allow a list of string in the field
• Add tests
• Write documentation about how to use the "new" field
• Write documentation to cover the migration from old field the the "new" one

[nicknikolakakis]

Hi, I'd like to work on this.

Here's my proposed migration plan after reviewing the codebase:

New field name: sourceAuthorities or sourceRegistriesAuth (open to suggestions). I lean towards sourceRegistriesAuth since it clearly describes the purpose: authentication secrets for source registries where policies are pulled from.

Type change: string -> []string to allow multiple secrets (one per registry).

Migration strategy (3-phase):

Phase 1 (this PR):

• Add new sourceRegistriesAuth []string field to PolicyServerSpec in both v1 and v1alpha2 API types
• Mark imagePullSecret as deprecated via godoc + +deprecated marker
• Add controller logic: if sourceRegistriesAuth is empty but imagePullSecret is set, use []string{imagePullSecret} as the effective value
• Update configureImagePullSecret in policyserver_controller_deployment.go to mount multiple secrets
• Add a validating webhook check: if both fields are set, reject with a clear error
• Add tests
• Update CRD docs, Helm chart values, and templates

Phase 2 (future PR, after deprecation period):

• Remove imagePullSecret field
• Remove migration logic

Files that need changes:

• api/policies/v1/policyserver_types.go
• api/policies/v1alpha2/policyserver_types.go
• api/policies/v1/policyserver_webhook.go
• internal/controller/policyserver_controller_deployment.go
• Helm chart templates and values
• CRD docs
• make generate to regenerate CRDs

Does this approach align with what you had in mind?