Use the access key for the fleetshard-sync AWS auth on the local dev environment

[kovayur]

Description

It turned out that the static key or jwt loaded from the OAuth identity provider is not suitable for the local development, because:

1. AWS rejects tokens with the long validity period even if they are not expired. It means that we need to refresh the "static" token periodically, which requires some effort.
2. It's hard to setup the token in a case when fleetshard-sync runs locally out of the cluster.

As a result, fleetshard-sync can't start locally with MANAGED_DB_ENABLED=true

We are forced to use the access key for this special case, as it is most convenient. It will also help in addressing the concerns raised in #1078.

The change in rds.go will make the configuration loadable from environment variables, allowing the auth type to be switched. In the case of dev environments, the access key will be used. In other cases the token will remain.

I also added the support of the access key to the helm chart to use it on the dev environment in the future.

Checklist (Definition of Done)

• Unit and integration tests added
• Added test description under Test manual
• Documentation added if necessary (i.e. changes to dev setup, test execution, ...)
• CI and all relevant tests are passing
• Add the ticket number to the PR title if available, i.e. ROX-12345: ...
• Discussed security and business related topics privately. Will move any security and business related topics that arise to private communication channel.
• Add secret to app-interface Vault or Secrets Manager if necessary
• RDS changes were e2e tested manually
• Check AWS limits are reasonable for changes provisioning new resources

Test manual

1. helm template
2. ./dev/env/scripts/up.sh
3. ./dev/env/scripts/exec_fleetshard_sync.sh
4. RDS E2E tests

[johannes94]

Did I understand correctly, that by using this it will automatically use:

• AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY if set
• AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE if set
• return an error if no successful authentication was possible?

[kovayur]

Yes, correct.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: johannes94, kovayur

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [johannes94,kovayur]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment