fix(k8s,scheduled_task): file-type parameter no longer leaks binary as env var

[fedemaleh]

Summary

Deployments with a binary file-type parameter (e.g. a P12 certificate) failed at pod start with:

OCI runtime create failed: ... invalid environment variable
"app-data-<filename>": contains nul byte (\x00)

Investigating that error revealed the underlying bug: file parameters were being exported as env vars alongside environment-type parameters. For binary files this fails at the runtime layer (NUL bytes are illegal in env var values); for text files it would silently work but is still wrong — file content has no business being in an env var.

Fix

The application container loads its env vars via envFrom: secretRef:, which imports every key in the referenced Secret as an env var. The only reliable way to keep file bytes out of the env block is to put them in a different Secret object.

So the deployment now provisions two Secrets:

• s-<scope>-d-<deploy> — env-safe values only (env-type params + NP_*). Consumed via envFrom.
• s-<scope>-d-<deploy>-files — binary file content only. Consumed by the volume mount.

For each file parameter the application container also gets a plain env: entry (not from any Secret) named app-data-<sanitized-param-name> whose value is the file's destination_path, so apps can discover where the file was mounted.

Same fix applied to scheduled_task (which reuses the k8s Secret templates).

Test plan

• bats k8s/deployment/tests/build_deployment.bats — 12/12 pass. New render test exercises a file param with a tricky name ("API P12 Cert!") and a destination path containing YAML metacharacters (/app-data/[2026-05-27] cert.p12) to lock in both the sanitization and the path-quoting.
• Verified end-to-end with gomplate + kubectl apply --dry-run=client.
• Cluster test with a real P12 file parameter — pod starts, cert readable at destination_path.