feat: Add account name as label in root + sign keys

[wingsofovnia]

This PR addresses the issue of orphaned secrets created during reconciliation retries #83 by implementing deterministic labeling for account secrets #60.

Problem

When the NAuth controller reconciles a new Account CR, it generates account keys and creates Kubernetes secrets before uploading the JWT to NATS. If the NATS upload fails (e.g., NATS is temporarily unavailable), the reconciliation loop retries. Since the account.nauth.io/id label hasn't been applied to the CR yet, the controller would generate a new ID and a new set of secrets on every retry, leading to a build-up of orphaned secrets.

Solution

The controller now uses the account name as a deterministic identifier to locate existing secrets before creating new ones. By labeling secrets with account.nauth.io/name, the manager can recover and reuse previously generated keys even if the reconciliation process was interrupted.

Fixes #60
Closes #83

[thobiaskarlsson]

Looks good but I have a couple of comments I'd like you to consider before approving.

[wingsofovnia]

@thobiaskarlsson, thank you for the review. Ready for a second pass!

[thobiaskarlsson]

LGTM! Thank you for contributing! You need to sign-off the commit(s) though.

[henriropp]

Thanks. Just a minor finding in the seed lookup from secrets. Probably not very frequent scenario...

[wingsofovnia]

You need to sign-off the commit(s) though - @thobiaskarlsson

Done!

Just a minor finding in the seed lookup from secrets - @henriropp

Fixed too.

Thank you guys!

Are there any plans for the next release anytime soon (last one was more than 3 weeks ago)?

[thobiaskarlsson]

You need to sign-off the commit(s) though - @thobiaskarlsson

Done!

Just a minor finding in the seed lookup from secrets - @henriropp

Fixed too.

Thank you guys!

Are there any plans for the next release anytime soon (last one was more than 3 weeks ago)?

Yes, we can absolutely do a new release. I was hoping for #116 to be merged soon so that we can get both features in the same release. @aleksanderaleksic, what are your thoughts on this, will you be able to fix the PR within the upcoming days?

[wingsofovnia]

I was hoping for #116 to be merged soon so that we can get both features in the same release - @thobiaskarlsson

#116 feels like a major change worth a v0.6.0 when it's ready. Looking forward to it!
If we could release v0.5.2 with bugfixes and small improvements that are already in the mainstream (perhaps this bugfix included too) would be great. I had to deal with a nauth fork for while now because of some of the fixes needed 🥲

[aleksanderaleksic]

Yes, we can absolutely do a new release. I was hoping for #116 to be merged soon so that we can get both features in the same release. @aleksanderaleksic, what are your thoughts on this, will you be able to fix the PR within the upcoming days?

@thobiaskarlsson I will work on it today and try to get it ready for another round of reviews.

[aleksanderaleksic]

#116 feels like a major change worth a v0.6.0 when it's ready. Looking forward to it! If we could release v0.5.2 with bugfixes and small improvements that are already in the mainstream (perhaps this bugfix included too) would be great. I had to deal with a nauth fork for while now because of some of the fixes needed 🥲

@wingsofovnia I agree that #116 is a new minor release, we are introducing a new concept even though its backwards-compatible.

[wingsofovnia]

@thobiaskarlsson can we merge this PR or there is a reason to keep it open?

[thobiaskarlsson]

I was hoping for #116 to be merged soon so that we can get both features in the same release - @thobiaskarlsson

#116 feels like a major change worth a v0.6.0 when it's ready. Looking forward to it! If we could release v0.5.2 with bugfixes and small improvements that are already in the mainstream (perhaps this bugfix included too) would be great. I had to deal with a nauth fork for while now because of some of the fixes needed 🥲

Yes, I'll release the current changes as a patch release. 👍 Great work!