Prevent secretgen-controller secret injection.

[GrahamDumpleton]

Is your feature request related to a problem? Please describe.

The workshop namespace and session namespace, plus secondary session namespaces explicitly listed in the workshop definition, are protected against secret injection by Carvel secretgen-controller by adding to the namespaces the annotation:

secretgen.carvel.dev/excluded-from-wildcard-matching: ""

Any namespaces objects created via session.objects and environment.objects do not have this annotation applied.

This means a workshop could create namespaces via the objects list which could serve as an avenue for stealing cluster secrets injected into all namespaces.

Note that this injection is stopped because how secretgen-controller does this is arguably poor security, so Educates blocks it to avoid leaking of sensitive secrets to workshop users.

Describe the solution you'd like

The annotation should be added automatically to any namespaces created via session.objects and environment.objects.

Describe alternatives you've considered

No response

Additional information

No response