fix(controller): prevent NodeAgent restarts from ESO metadata updates

[kaovilai]

Fixes ESO-234: NodeAgent was restarting every ~30s when External Secrets
Operator managed the cloud-credentials secret. ESO's metadata-only updates
were triggering unnecessary DPA reconciliations.

Changes:

• Updated labelHandler.Update() to skip reconciliation for Secret objects
  when only metadata changes (ResourceVersion, annotations, etc.)
• Added comprehensive unit tests for labelHandler covering all scenarios
• Maintains backward compatibility for non-Secret resources

This prevents unnecessary NodeAgent daemonset updates while preserving
reconciliation for actual data or label changes.

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

Why the changes were made

How to test the changes made

Continuation of #1998 on a thawed oadp-dev branch.

[weshayutin]

thanks @kaovilai ! Please do not cherry pick until 1.5.3. is GA :)

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai, weshayutin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [kaovilai]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kaovilai]

@weshayutin although.. do we know if they are changing label every 30 seconds? are we supposed to ignore label changes?

[weshayutin]

Couple notes that I have would be.

1. I could be wrong but it's my understanding the external secrets operator is tech-preview.
2. I'm not the smartest guy in the world but it seems to me that ESO should check the secret but if no change is required, I think ANY metadata on the secret should remain UNCHANGED, hence why I moved the bug to ESO.
3. I DO like being defensive in this case, and we either need to set it up and try/test or enquire w/ the ESO team re: labels.
4. I don't think this is a priority for our attention atm based on my above understanding. I could be wrong though.

[kaovilai]

/retest

ai-retester: The end-to-end test e2e-test-aws failed because the MySQL application KOPIA test timed out. Specifically the todolist container in pod todolist-1-vcz9l showed ContainersNotReady condition, failing to start after an extended period. This seems to be the primary cause, even though the *mysql container triggered warning messages regarding failed liveness probes too.

[kaovilai]

/retest

ai-retester: The e2e test failed because the MySQL application KOPIA test timed out and ultimately failed due to the todolist container in pod todolist-1-9znqw repeatedly failing readiness checks (containers not ready, "PodInitializing"). The underlying issues may have been with the liveness probe failing for the mysql database indicating i/o timeout .

[openshift-ci]

@kaovilai: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.