Drop support for non-labeled Secrets (Plugins' config, credentials)

[czeslavo]

Is there an existing issue for this?

• I have searched the existing issues

Does this enhancement require public documentation?

• I have added an Acceptance Criteria item for adding and/or adjusting public documentation (if applicable)

Problem Statement

In KIC 3.2 we made labeling Secrets (Plugin config and credentials) obligatory from the standpoint of the default ValidatingWebhookConfiguration we provide - meaning that Secrets that are not labeled with our custom labels (konghq.com/validate and konghq.com/credential) are not going to be validated by the validating webhook (#5856). We still didn't make the labels obligatory to make them visible by KIC's reconcile loops as we cache Secrets with no filters.

This issue is the next step in making the labels required - this time not only for the validation but also for making them be cached and reconciled by KIC. That will allow avoiding issues where KIC fails to boot because of cache sync timeouts in environments with a high volume of Secrets that are not meant to be reconciled by KIC.

Proposed Solution

• Use SelectorsByObject (✨ Add SelectorsByObject option to cache kubernetes-sigs/controller-runtime#1435) from controller-runtime to cache only properly labeled Secrets
• In the validating webhook, validate only Secrets that are labeled properly (if no label is found, just accept the Secret as it is)

Additional information

No response

Acceptance Criteria

• KIC no longer caches Secrets that do not have our custom labels (konghq.com/credentials, konghq.com/validate)
• Validation webhook only verifies Secrets that have our custom labels
• A breaking change note with a migration path described is added to the changelog
• All docs.konghq.com articles where Secrets are created are updated accordingly to be always labeled