fix: avoid empty Mongo root account secrets

[zijiren233]

Keep the generated Mongo account-root compatibility path, but route it through the normal account password resolution flow. This preserves restore password and legacy conn-credential fallback from the transformer account change while avoiding duplicate Mongo-specific password lookup logic.

Do not create account secrets when no password source is available and the password generation policy is invalid or empty. This prevents converted or legacy Mongo root accounts from silently producing account-root secrets with an empty password.

Also rename the compatibility helper to clarify that it handles generated Mongo components missing root in SystemAccounts, and add focused tests for new-cluster generation, legacy password migration, and zero-policy skip.

[zijiren233]

[3/10] testdb/mg-4-2-s-nbr 
    Connection: mongodb://root:****@10.96.0.203:27017/admin
    Status: OK (Primary)

[4/10] testdb/mg-4-2-s-nbs 
    Connection: mongodb://root:****@10.96.1.146:27017/admin
    Status: OK (Primary)

[5/10] testdb/mg-4-4-s-nbr 
    Connection: mongodb://root:****@10.96.2.8:27017/admin
    Status: OK (Primary)

[6/10] testdb/mg-4-4-s-nbs 
    Connection: mongodb://root:****@10.96.1.174:27017/admin
    Status: OK (Primary)

[7/10] testdb/mg-5-0-14-s-nbr 
    Connection: mongodb://root:****@10.96.2.243:27017/admin
    Status: OK (Primary)

[8/10] testdb/mg-5-0-14-s-nbs 
    Connection: mongodb://root:****@10.96.0.123:27017/admin
    Status: OK (Primary)

[9/10] testdb/mg-5-0-s-nbr 
    Connection: mongodb://root:****@10.96.3.79:27017/admin
    Status: OK (Primary)

[10/10] testdb/mg-5-0-s-nbs 
    Connection: mongodb://root:****@10.96.3.66:27017/admin
    Status: OK (Primary)

==========================================
Summary: Total=10, Success=8, Failed=2
==========================================
       → 成功

========================================
  所有 16 个步骤全部完成！
========================================
root@zjr-mongo:~/kubeblocks# kubectl get secret -n testdb | grep mg-
mg-4-0-s-nbr-conn-credential                           Opaque   8      3h20m
mg-4-0-s-nbr-mongodb-account-root                      Opaque   2      2m26s
mg-4-0-s-nbs-conn-credential                           Opaque   8      3h20m
mg-4-0-s-nbs-mongodb-account-root                      Opaque   2      2m27s
mg-4-2-s-nbr-conn-credential                           Opaque   8      3h20m
mg-4-2-s-nbr-mongodb-account-root                      Opaque   2      2m26s
mg-4-2-s-nbs-conn-credential                           Opaque   8      3h20m
mg-4-2-s-nbs-mongodb-account-root                      Opaque   2      2m26s
mg-4-4-s-nbr-conn-credential                           Opaque   8      3h20m
mg-4-4-s-nbr-mongodb-account-root                      Opaque   2      2m27s
mg-4-4-s-nbs-conn-credential                           Opaque   8      3h20m
mg-4-4-s-nbs-mongodb-account-root                      Opaque   2      2m26s
mg-5-0-14-s-nbr-conn-credential                        Opaque   8      3h20m
mg-5-0-14-s-nbr-mongodb-account-root                   Opaque   2      2m24s
mg-5-0-14-s-nbs-conn-credential                        Opaque   8      3h20m
mg-5-0-14-s-nbs-mongodb-account-root                   Opaque   2      2m24s
mg-5-0-s-nbr-conn-credential                           Opaque   8      3h20m
mg-5-0-s-nbr-mongodb-account-root                      Opaque   2      2m23s
mg-5-0-s-nbs-conn-credential                           Opaque   8      3h20m
mg-5-0-s-nbs-mongodb-account-root                      Opaque   2      2m23s
root@zjr-mongo:~/kubeblocks# kubectl get secret -n testdb mg-5-0-s-nbs-mongodb-account-root -o yaml
apiVersion: v1
data:
  password: c2Z0OHR0cWQ=
  username: cm9vdA==
immutable: true
kind: Secret
metadata:
  creationTimestamp: "2026-05-25T06:52:17Z"
  labels:
    account.kubeblocks.io/name: root
    app.kubernetes.io/instance: mg-5-0-s-nbs
    app.kubernetes.io/managed-by: kubeblocks
    apps.kubeblocks.io/component-name: mongodb
  name: mg-5-0-s-nbs-mongodb-account-root
  namespace: testdb
  resourceVersion: "94720"
  uid: ecdf34ff-d57e-42a0-ad51-4176c21dacc8
type: Opaque
root@zjr-mongo:~/kubeblocks# kubectl get secret -n testdb mg-5-0-s-nbs-conn-credential -o yaml
apiVersion: v1
data:
  endpoint: bWctNS0wLXMtbmJzLW1vbmdvZGI6MjcwMTc=
  headlessEndpoint: bWctNS0wLXMtbmJzLW1vbmdvZGItMC5tZy01LTAtcy1uYnMtbW9uZ29kYi1oZWFkbGVzczoyNzAxNw==
  headlessHost: bWctNS0wLXMtbmJzLW1vbmdvZGItMC5tZy01LTAtcy1uYnMtbW9uZ29kYi1oZWFkbGVzcw==
  headlessPort: MjcwMTc=
  host: bWctNS0wLXMtbmJzLW1vbmdvZGI=
  password: c2Z0OHR0cWQ=
  port: MjcwMTc=
  username: cm9vdA==
kind: Secret
metadata:
  creationTimestamp: "2026-05-25T03:33:46Z"
  finalizers:
  - cluster.kubeblocks.io/finalizer
  labels:
    app.kubernetes.io/instance: mg-5-0-s-nbs
    app.kubernetes.io/managed-by: kubeblocks
    app.kubernetes.io/name: mongodb
    apps.kubeblocks.io/cluster-type: mongodb
  name: mg-5-0-s-nbs-conn-credential
  namespace: testdb
  ownerReferences:
  - apiVersion: apps.kubeblocks.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: Cluster
    name: mg-5-0-s-nbs
    uid: d37752b9-356c-4c6e-a7a2-08b21e132aca
  resourceVersion: "14159"
  uid: 608ae16c-8fd5-433d-8e57-41d10a5f785a
type: Opaque
root@zjr-mongo:~/kubeblocks# cd ..
root@zjr-mongo:~# ls
cv.yaml  go  go1.26.2.linux-amd64.tar.gz  kubeblocks  mongo.yaml  sealos_5.1.2-rc5_linux_amd64.deb  snap  test.sh
root@zjr-mongo:~# kubectl apply -f mongo.yaml 
cluster.apps.kubeblocks.io/test-db created
root@zjr-mongo:~# kubectl get po 
NAME                READY   STATUS    RESTARTS   AGE
test-db-mongodb-0   0/2     Pending   0          4s
root@zjr-mongo:~# kubectl get secret
NAME                           TYPE     DATA   AGE
test-db-mongodb-account-root   Opaque   2      2m13s