…secret (#2392)

Summary: [cloud] Replace service-tls-certs usage with cert-manager
compatible secret

This is dependent on #2391. This updates all of cloud manifests to use
the newer, cert-manager compatible style secret.

Relevant Issues: N/A

Type of change: /kind cleanup

Test Plan: Used these changes in https://github.com/k8sstormcenter/pixie
to deploy a Pixie Cloud that uses cert-manager service tls certs

Changelog Message: Update Pixie cloud's service tls certs to use
cert-manager compatible secrets

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

Summary: Create vizier and cloud cert-manager compatible secrets

Pixie's certificate management predates cert-manager becoming the
definitive method for managing k8s certs. As a result, Pixie's
certificates are created in an incompatible way to how cert-manager
creates its TLS secrets -- Pixie's are of type generic and bundle client
and server certs while cert-manager uses the [tls secret
type](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets)
and only can store a single CA, key and cert file.

This PR updates Pixie's certificate management to create the existing
generic secret alongside two tls type secrets.

Future PRs will move the consumers of these secrets to use the newer
cert-manager compatible equivalents

Relevant Issues: N/A

Type of change: /kind cleanup

Test Plan: Used this as part of a larger change to deploy a cloud with
cert-manager service tls certs

Changelog Message: Update Pixie's vizier and cloud certificate
management to create cert-manager compatible kubernetes secrets

---------

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
GitOrigin-RevId: 7622689

…i.bzl, fork cockpit)

The merge of main into ae-followup-auth (0c65751) silently took the
upstream version on a swath of files where the fork had previously
deviated. This commit reverts the merge's regressions back to the
fork-correct state (origin/ae-prod) AND completes the runner-label
sweep so every release/mirror/perf workflow uses the same -vm-16cpu
label the fork's runner pool actually has.

1. Runner labels — main re-introduced 'oracle-16cpu-64gb-x86-64' and
   'oracle-8cpu-32gb-x86-64' on 7 workflows. Fork's pool only resolves
   'oracle-vm-16cpu-64gb-x86-64'; both stale labels sit queued forever.
   Fixed: cli_release.yaml (L18+L212), cloud_release.yaml (L18),
   mirror_demos.yaml (L12), mirror_deps.yaml (L12),
   mirror_releases.yaml (L13), operator_release.yaml (L18+L143),
   perf_common.yaml (L37+L60). vizier_release.yaml L18 was fixed
   already in 0fd9c3f.

2. bazel/ui.bzl — main reverted PR #64's webpack-build fixes that
   broke release/cloud/v0.0.10 with 'export: `18': not a valid
   identifier'. Restored: 'set -x' for action-shell tracing, PATH
   that puts /opt/px_dev/tools/node/bin FIRST, 'hash -r', the
   STABLE_BUILD_TAG|BUILD_TIMESTAMP allowlist sed (vs the wildcard
   that word-splits FORMATTED_DATE), and use_default_shell_env=True
   so --incompatible_strict_action_env doesn't strip yarn from PATH.

3. 28 fork-cloud config files — main's PR pixie-io#2391 (cert-manager
   migration) deleted private/cockpit/*,
   terraform/kubernetes/auth0/*, terraform/kubernetes/cloud_deps/*,
   .sops.yaml, private/skaffold_cloud.yaml. These are still load-
   bearing for the AOCC pixie-cloud deployment; the fork hasn't
   migrated to cert-manager-compatible secrets yet (PR pixie-io#2391's
   monitor.go fallback path is in place, so adoption is the
   follow-up, not a blocker). Restored all 28 from origin/ae-prod.

Genuine main pickups that were CORRECT to keep (no fix needed): the
src/utils/shared/k8s/{apply,delete}.go import-order +
sets.New[string] generics migration,
src/operator/controllers/monitor.go's cert-manager secret fallback,
and the src/carnot/BUILD.bazel + src/carnot/exec/BUILD.bazel
additions.