[patch] remove ibm_entitlement_key from Tekton param flow and source from secrets

[jigneshchauhan2001]

Summary

ibm_entitlement_key was appearing as plaintext in pod environment variables and was being passed through the MAS install PipelineRun into pod specs.
This change removes ibm_entitlement_key from the Tekton parameter flow under /cli/tekton/src and updates affected task pods to read IBM_ENTITLEMENT_KEY from Kubernetes secret pipeline-additional-configs.
It also applies the SLS speific-fix in /cli/tekton/src/tasks/dependencies/sls.yml.j2 so IBM_ENTITLEMENT_KEY is not injected into the SLS pod for newer SLS channel paths (sls_channel > 3.7.0).

Changes

ibm_entitlement_key moved to Secrets

• replaced task pod env usage of $(params.ibm_entitlement_key) with valueFrom.secretKeyRef in affected task templates under:
  • /cli/tekton/src/tasks
• removed ibm_entitlement_key Tekton param wiring from affected pipeline/taskdef templates under:
  • /cli/tekton/src/pipelines
• removed shared param definitions where no longer needed under:
  • cli/tekton/src/params

SLS fix:

• updated:
  - /cli/tekton/src/tasks/dependencies/sls.yml.j2
• behavior:
  • omit IBM_ENTITLEMENT_KEY when sls_channel > 3.7.0

This change ensures:

• the entitlement key is no longer exposed through Tekton params
• affected pods read the key from Kubernetes Secret
• SLS no longer receives the entitlement env in the newer channel path

Validation

Validation details are attached in
Validations.docx

Which contains UI and CLI validation confirmed:

• PipelineRuns do not contain ibm_entitlement_key
• secret pipeline-additional-configs contains IBM_ENTITLEMENT_KEY
• non-SLS install pods use valueFrom.secretKeyRef
• SLS pod does not contain IBM_ENTITLEMENT_KEY in the validated newer-channel path
• non-SLS pod YAML does not contain ibm_entitlement_key

Validated on Fyre OCP cluster:

• install completed successfully
• fvt-core completed successfully
• fvt-sls completed successfully
• fvt-manage completed successfully

FVT dashboard link:

• https://dashboard.ibmmas.com/tests/fixsecurity/7525

[whitfiea]

The changes update all the references to the entitlement key but i don't think it is updating all the pipelines to use this workspace that contains it i.e. i don't think aiservice or backup/restore pipelines use pipeline-additional-configs workspace so those need updating.
Also the backup/restore needs the secret set like it does in the app.py for install.

The secretKeyRef is also set as optional: true, when it shouldn't really be optional.

[whitfiea]

why is there an if condition on include_dro?

[jigneshchauhan2001]

I have removed if condition on incldue_dro in ibm_entitlement_key initialisation.

[whitfiea]

We can't change the existing workspace, we should just add the workspace

[jigneshchauhan2001]

I have restored the existing workspace.