[DOM-47678] Fix secret querying

 - Add secrets list perms

   The secret reading code had a late change to search for matching
   secrets with the correct hephaestus-accessible label instead of
   performing a simple get by namespace/name.

   While this prevents Hephaestus code from even accessing the secret,
   it also now requires the list permission to query secrets.

 - Correctly specify fields for secret name and namespace by specifying
   the metadata. prefix

 - Unit tests don't support the filter syntax and don't apply Kubernetes
   permissioning, and the repo functiona. tests which actually use
   Kubernetes are currently not operational, so this slipped past review

deployments/helm/hephaestus/templates/controller/clusterrole.yaml

@@ -91,6 +91,7 @@ rules:
       - secrets
     verbs:
       - get
+      - list
       - update
   - apiGroups:
       - apps

pkg/controller/support/secrets/secrets.go

@@ -42,11 +42,12 @@ func ReadSecrets(
 
 		path := strings.Join([]string{secretRef.Namespace, secretRef.Name}, "/")
 		log.Info("Finding secret", "path", path)
-		fields := fields.SelectorFromSet(map[string]string{"Namespace": secretRef.Namespace, "Name": secretRef.Name})
+		fields := fields.SelectorFromSet(
+			map[string]string{"metadata.namespace": secretRef.Namespace, "metadata.name": secretRef.Name})
 		// prevent exfiltration of arbitrary secret values by using the presence of this label
 		labels := labels.SelectorFromSet(map[string]string{hephv1.AccessLabel: "true"})
-		secrets, err := secretClient.List(ctx,
-			metav1.ListOptions{FieldSelector: fields.String(), LabelSelector: labels.String()})
+		secrets, err := secretClient.List(ctx, metav1.ListOptions{
+			FieldSelector: fields.String(), LabelSelector: labels.String()})
 
 		if err != nil {
 			return map[string][]byte{}, fmt.Errorf("failure querying for secret %q: %w", path, err)