[ws-manager] Only extract secrets when FF is set

[csweichel]

Description

Otherwise content init fails for private repositories.

How to test

1. open a workspace on a private repo
2. enable the protected_secrets FF and open a workspace on a private repo

Release Notes

NONE

Werft options:

• /werft with-preview

[geropl]

Starting to review now...

[geropl]

This looks fishy to me:

• why the change to workspace_image?
• and why do all other files keep using workspaceImage?
  🤔

[geropl]

/werft run

👍 started the job as gitpod-build-cw-fix-ots.3
(with .werft/ from main)

To get a preview env...

[geropl]

/werft run with-preview=true

👍 started the job as gitpod-build-cw-fix-ots.4
(with .werft/ from main)

Did not pick up the flag last time...? 🤷

[geropl]

I tested with a private repo and an user env var and protected_secrets set to:

• ws-manager from this branch:
  • true: ✔️
  • false: ✔️
• ws-manager we currently use in prod (ws-clusters and application clusters, commit-d537b24994f67318dcadb9d29ebc132d36514f8c):
  • false: ✔️
  • true: 💥 (which is expected when you think about it): Error: 2 UNKNOWN: cannot create workspace pod: cannot create definite workspace pod: unknown feature flag: 8

This means:

• we have to make sure we standup new ws-clusters before using this feature (kind of make sense) ✔️
• during next WebApp deployment we should make sure to update ws-manager as well (the default, and will happen anyway) ✔️

[geropl]

Tested with multiple versions, and is safe to roll out either way as long as we keep the feature flag protectes_secrets disabled as long as ws-manager not rolled out everywhere (WebApp and Workspace): #11198 (comment) 👍

[atduarte]

For the others that might have the same question as I did:
FF = Feature Flag.