feat(runtime): Validate cross-namespace secret refs in SecretValueFromReference

[sapphirew]

Issue #, if available:

Description of changes:

Move cross-namespace validation for secret references into SecretValueFromReference so every caller is covered, including custom update functions (e.g. RDS db_cluster/custom_update.go) and hooks that call it directly rather than going through generated sdk.go code.

• When --enable-cross-namespace is false and the secret targets a different namespace, return a terminal error (wrapping the ResourceReferenceCrossNamespaceNotAllowed sentinel). The caller's existing condition machinery sets ACK.Terminal from the message.
• When the flag is true, log a deprecation warning and resolve the secret from the target namespace (Phase 1 behavior).
• Same-namespace and empty-namespace refs are unaffected.

This lets the code-generator drop the per-call secret validation block it currently emits in set_sdk.go, which only covered generated sdk.go call sites.

Addresses review feedback on aws-controllers-k8s/code-generator#699.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[ack-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sapphirew
Once this PR has been reviewed and has the lgtm label, please assign a-hilaly for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[knottnt]

Do we need to also apply a condition to the resource similar to FieldExports and ResourceReferences? If yes, we may need to change the function signature. We'd still need to manually update the SecretValueFromReference calls in custom code, but at least they'd fail loudly.