feat: upgrade to external-secrets v1, add Barbican(OpenStack)/Vault/1Password providers, and fix GCP typo

[binlab]

📝 Description

This PR introduces a significant upgrade to the secret management engine. It transitions from the deprecated v1beta1 to the stable v1 API version of the External Secrets Operator. Additionally, it expands the ecosystem by adding support for three new providers: OpenStack Barbican, HashiCorp Vault, and 1Password.

A database migration is included to automatically patch existing configurations, fix legacy typos, and enable the new Barbican provider for OpenStack environments.

🚀 Key Changes

1. External Secrets API Upgrade

• Updated apiVersion from external-secrets.io/v1beta1 to external-secrets.io/v1.
• Aligned the manifest generation logic and unit tests to ensure compliance with the stable ESO API.

2. New Secret Providers & Regex Expansion

• Expanded the SECRET_REF_REGEX to support a wider range of providers.
• Added Providers: barbican (OpenStack), vault (HashiCorp), and onepassword.
• Users can now use the standard macro format for these new sources:
  • {{barbican:secret-name:key}}
  • {{vault:path/to/secret:key}}
  • {{onepassword:vault-id/item-id:key}}

3. Database Migration & Bug Fixes

A new Knex migration has been implemented to handle the global configuration update:

• OpenStack Support: Automatically injects and enables the barbican provider into global_config.
• Typo Correction: Fixes a typo in the GCP configuration where gcp-secretmanager was used instead of the correct gcp-secretsmanager.
• Backward Compatibility: The down migration ensures the typo is reverted and the new provider is removed if a rollback is necessary.

---

🧪 Migration Testing Results

The migration was verified by checking the transformation of the secretProviders configuration in the database:

Before Migration:

{
    "aws": {
        "enabled": true,
        "clusterSecretStore": "aws-secretsmanager",
        "refreshInterval": "1h",
        "allowedPrefixes": []
    },
    "gcp": {
        "enabled": true,
        "clusterSecretStore": "gcp-secretmanager", // 🔴 Note the typo
        "refreshInterval": "1h",
        "allowedPrefixes": []
    }
}

After Migration:

{
    "aws": {
        "enabled": true,
        "clusterSecretStore": "aws-secretsmanager",
        "refreshInterval": "1h",
        "allowedPrefixes": []
    },
    "gcp": {
        "enabled": true,
        "clusterSecretStore": "gcp-secretsmanager", // ✅ Typo fixed
        "refreshInterval": "1h",
        "allowedPrefixes": []
    },
    "barbican": {                                    // ✅ New Provider added
        "enabled": true,
        "clusterSecretStore": "barbican-secretsmanager",
        "refreshInterval": "1h",
        "allowedPrefixes": []
    }
}

---

✅ Checklist

• API version bumped to external-secrets.io/v1 in all templates and tests.
• Regex pattern updated to support barbican, vault, and onepassword.
• Migration script tested for both up and down scenarios.
• Verified that the GCP typo fix doesn't break existing secret stores.
• Unit tests updated to reflect the new API version.