ROX-18428: report secret data to fleet-manager

[johannes94]

Description

This PR adds the logic to report K8s secrets created by FS sync or the RHACS operator back to store them in fleet-manager (namely central-tls and central-db-password). The secrets are encrypted using AWS KMS to ensure they are stored securely in FMs database and in transit. We need to create the KMS keys before merging this into main and deploying it to the stage environment. Because of that the PR: https://github.com/stackrox/acs-fleet-manager-aws-config/pull/117 has to be merged first.

This is part of the Epic https://issues.redhat.com/browse/ROX-17060, the implementation to restore secrets if they are missing in the cluster will be done in another PR.

In this PR we implement following parts of the overall solution:

• Getting the secret from cluster
• Encrypting them
• Report from fleetshard-sync to fleet-manager
• Store them in fleet-manager DB
• Report if secrets are stored or not

Checklist (Definition of Done)

• Unit and integration tests added
• Added test description under Test manual
• Documentation added if necessary (i.e. changes to dev setup, test execution, ...)
• CI and all relevant tests are passing
• Add the ticket number to the PR title if available, i.e. ROX-12345: ...
• Discussed security and business related topics privately. Will move any security and business related topics that arise to private communication channel.
• [ ] Add secret to app-interface Vault or Secrets Manager if necessary
• [ ] RDS changes were e2e tested manually
• Check AWS limits are reasonable for changes provisioning new resources

Test manual

# Create an OSD cluster using the rhacs-managed-service-dev account
# Provision enough resources for an internal PostgreSQL DB at this point at least 1 node with 8 CPUs

make binary
make db/teardown db/setup db/migrate

# Login to OSD cluster and install RHACS Operator
# Configure AWS CLIE to point to dev
# Create a fleet-manager cluster-config for the OSD cluster by editing /dev/config/dataplane-cluster-configuration-infractl-osd.yaml

# Start fleet-manager and fleetshard-sync in different shells
# Configure fleetshard-sync
export AWS_REGION=us-east-1
export SECRET_ENCYRPTION_TYPE=kms
export OCM_TOKEN=$(ocm token --refresh)
export AUTH_TYPE="ocm"
export SECRET_ENCRYPTION_KEY_ID=<dev secret encryption key>
export CLUSTER_ID=<your-cluster-id>
./fleetshard-sync

# Run fleet-manager
./fleet-manager serve --dataplane-cluster-config-file "./dev/config/dataplane-cluster-configuration-infractl-osd.yaml"

# Create a central and make sure it get's to ready state without errors
./scripts/create-central.sh

# Make sure secrets are populated in the database
make db/psql
select id, status, secrets from central_requests;

# To run tests locally run:
make db/teardown db/setup db/migrate
make ocm/setup OCM_OFFLINE_TOKEN=<ocm-offline-token> OCM_ENV=development
make verify lint binary test test/integration

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: johannes94, vladbologa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [johannes94,vladbologa]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[vladbologa]

Suggested change

	secretService *k8s.SecretBackup
	secretBackup *k8s.SecretBackup

[johannes94]

Done.

[openshift-ci]

New changes are detected. LGTM label has been removed.