[Authentication] Change user secret token from username to userid

[liranbg]

📝 Description

📝 Description

Change user token secret naming convention to use auth_info.user_id instead of auth_info.username. This change ensures that user token secrets are stored using a stable identifier (user_id which is a UUID) rather than usernames which may contain characters invalid for Kubernetes resource names.

---

🛠️ Changes Made

• Changed store_user_token_secret to accept auth_info directly instead of username
• Added auth_userid label from auth_info.user_id for secret identification
• Updated resolve_auth_token_secret_name to use user_id parameter
• Added InternalAnnotations class in constants for annotation keys

---

✅ Checklist

• I updated the documentation (if applicable)
• I have tested the changes in this PR
• I confirmed whether my changes are covered by system tests
  • If yes, I ran all relevant system tests and ensured they passed before submitting this PR
  • I updated existing system tests and/or added new ones if needed to cover my changes
• If I introduced a deprecation:
  • I followed the Deprecation Guidelines
  • I updated the relevant Jira ticket for documentation

---

🧪 Testing

• Unit tests + ig4 running KFP / Kubejob

---

🔗 References

• Ticket link: https://iguazio.atlassian.net/browse/ML-11976
• Design docs links:
• External links:

---

🚨 Breaking Changes?

• Yes (explain below)
• No

---

🔍️ Additional Notes

[quaark]

What I'm missing from the PR is the option to still supply a username (on list / revoke) and have mlrun use iguazio sdk to resolve the user id. If all that is waiting for ML-10775, then ignore this comment

[elbamit]

Looking good. Minor question - don't you want to sanitize everything that is saved as a label? user_id and token_name?