Automated backport of #3064: Configure SAs to enforce mountable secrets

[skitt]

Backport of #3064 on release-0.17.

3064: Configure SAs to enforce mountable secrets

For details on the backport process, see the backport requests page.

[submariner-bot]

🤖 Created branch: z_pr3143/skitt/automated-backport-of-#3064-origin-release-0.17 🚀 Full E2E won't run until the "ready-to-test" label is applied. I will add it automatically once the PR has 2 approvals, or you can add it manually.

[skitt]

I’m wary of the upgrade impacts of this change (in particular the renamed broker secret) on upgrades from one patch release to the next — we won’t be able to enforce the use of subctl upgrade in all cases.

[tpantelis]

I’m wary of the upgrade impacts of this change (in particular the renamed broker secret) on upgrades from one patch release to the next — we won’t be able to enforce the use of subctl upgrade in all cases.

We'd have to backport https://github.com/submariner-io/subctl/pull/1150 as well. This is a breaking change unless subctl upgrade is run so perhaps we shouldn't backport to patch releases.

[submariner-bot]

🤖 Closed branches: [z_pr3143/skitt/automated-backport-of-#3064-origin-release-0.17]