feat: webhook secrets must be labeled (#3753)

BREAKING CHANGE: Webhook secrets now must be labeled for Webhook SecretStore

BREAKING CHANGE: Generator webhook labels changed

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

pkg/common/webhook/webhook.go

@@ -64,9 +64,9 @@ func (w *Webhook) getStoreSecret(ctx context.Context, ref SecretKeySelector) (*c
 		return nil, fmt.Errorf("failed to get clustersecretstore webhook secret %s: %w", ref.Name, err)
 	}
 	if w.EnforceLabels {
-		expected, ok := secret.Labels["generators.external-secrets.io/type"]
+		expected, ok := secret.Labels["external-secrets.io/type"]
 		if !ok {
-			return nil, fmt.Errorf("secret does not contain needed label to be used on webhook generator")
+			return nil, fmt.Errorf("secret does not contain needed label 'external-secrets.io/type: webhook'. Update secret label to use it with webhook")
 		}
 		if expected != "webhook" {
 			return nil, fmt.Errorf("secret type is not 'webhook'")

pkg/provider/webhook/webhook.go

@@ -70,6 +70,7 @@ func (p *Provider) NewClient(_ context.Context, store esv1beta1.GenericStore, ku
 		wh:        wh,
 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
 	}
+	whClient.wh.EnforceLabels = true
 	if whClient.storeKind == esv1beta1.ClusterSecretStoreKind {
 		whClient.wh.ClusterScoped = true
 	}