fix(konnect) avoid collisions when redacting

[rainest]

What this PR does / why we need it:

Change the static redacted pretend Vault string to a function that generates a random pretend Vault string.

This avoids collisions for certain types of values when go-database-reconciler builds configuration. It uses an in-memory database that looks up Kong entities by unique fields. If these fields aren't actually unique, go-database-reconciler will detect a conflict and abort.

Which issue this PR fixes:

Reported by @mheap in chat.

Special notes for your reviewer:

Manual smoke testing: creating a key-auth with {vault://04a84f95-91f0-4caa-87d1-91a2caa2a6ca} as the key value to validate that UUIDs are valid Vault keys.

Originally did this for all redacted strings, but turns out that the random stuff needs accounting for in tests in less than intuitive ways, so limited to the resources we know have this problem for certain. key-auth is probably alone there, as one of the few (only?) things where the primary key has to be sensitive.

PR Readiness Checklist:

Complete these before marking the PR as ready to review:

• the CHANGELOG.md release notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

❗ No coverage uploaded for pull request base (main@755e2ce). Click here to learn what that means.
Report is 17 commits behind head on main.

❗ Current head 36538e8 differs from pull request most recent head 2ee6705. Consider uploading reports for the commit 2ee6705 to get more accurate results

Additional details and impacted files

@@          Coverage Diff           @@
##             main   #5964   +/-   ##
======================================
  Coverage        ?   68.0%           
======================================
  Files           ?     179           
  Lines           ?   18307           
  Branches        ?       0           
======================================
  Hits            ?   12464           
  Misses          ?    4868           
  Partials        ?     975           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[randmonkey]

LGTM, but is the KeyAuth the only credential part that we need to de-deplecate in consumers?

[rainest]

So far as we know now, yeah. It seems the only one likely due to its (I think) unique "primary key is the one and only value" situation, though we could potentially have others.

I opted for the more targeted fix given the havoc that random values play with tests. If we find that others are affected we may want to randomize everything and refactor tests to accommodate that.

[team-k8s-bot]

E2E (targeted) tests with KIND-based clusters were started at https://github.com/Kong/kubernetes-ingress-controller/actions/runs/8978822226

[randmonkey]

@rainest Please check the linter comments on import section of plugin_test.go and kongupstreampolicy_test.go.

[team-k8s-bot]

The backport to release/3.1.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-release/3.1.x release/3.1.x
# Navigate to the new working tree
cd .worktrees/backport-release/3.1.x
# Create a new branch
git switch --create backport-5964-to-release/3.1.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 4b60bf8cd8074fb310b8270e623fe8f080cdd934
# Push it to GitHub
git push --set-upstream origin backport-5964-to-release/3.1.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-release/3.1.x

Then, create a pull request where the base branch is release/3.1.x and the compare/head branch is backport-5964-to-release/3.1.x.

[pmalek]

@rainest The backport to 3.1 has failed.

[randmonkey]

Added manual backport PR: #6001
CHANGELOGS :-(