ROX-16664: backup central encryption key

[johannes94]

Description

Depends on #1285 and #1295 .

This PR add the central-encryption-key secret to the list of secrets that should be backed up in fleetmanagers database. It also adds an E2E test to test all expected secrets get backed up.

Checklist (Definition of Done)

• Unit and integration tests added
• Added test description under Test manual
• Documentation added if necessary (i.e. changes to dev setup, test execution, ...)
• CI and all relevant tests are passing
• Add the ticket number to the PR title if available, i.e. ROX-12345: ...
• Discussed security and business related topics privately. Will move any security and business related topics that arise to private communication channel.
• Add secret to app-interface Vault or Secrets Manager if necessary
• RDS changes were e2e tested manually
• Check AWS limits are reasonable for changes provisioning new resources

Test manual

# Test with local FM, FS and OSD cluster in dev AWS account
# Flip the PubliclyAccessible flag in rds.go

make binary
make db/teardown db/setup db/migrate

./fleet-manager serve --enable-central-external-certificate --dataplane-cluster-config-file ./dev/config/dataplane-cluster-configuration-infractl-osd.yaml --force-leader --central-idp-client-id ""

# Start fleetshard-sync in another terminal
# Prepare environment
export CLUSTER_NAME=local_cluster                 
export MANAGED_DB_ENABLED=true
export AWS_AUTH_HELPER=aws-saml
export CREATE_AUTHPROVIDER=true

./dev/env/scripts/exec_fleetshard_sync.sh

# In another terminal
./scripts/create-central.sh

# Wait for provisioning state and fleetshard first reconciliation
# See that the key was generated and is 32 bytes 
kubectl get secrets -n rhacs-ck6p6969rus49ma6iko0 central-encryption-key -o yaml | yq .data.encryptionKey | base64 -d | base64 -d | wc -c
# Store secret for comparison later on
kubectl get secrets -n rhacs-ck6p6969rus49ma6iko0 central-encryption-key -o yaml | yq .data.encryptionKey > firstKey.txt

# Wait for ready state and creation of routes
# Check fleetshard-sync logs for status report of secrets
# Check that all "central-db-password" "central-tls" and "central-encryption-key" were reported
# search for "Secrets:map[central" to find the message

# Delete the tenant
export OCM_TOKEN=$(ocm token)
export central_id=<your-central-id>

./scripts/fmcurl "rhacs/v1/centrals/$central_id?async=true" -XDELETE -v

# Wait for full deletion, get admin tokens in the meantime
rhoas login --auth-url=https://auth.redhat.com/auth/realms/EmployeeIDP 
export OCM_TOKEN=$(rhoas authtoken)

# Restore from backup
./scripts/fmcurl "rhacs/v1/admin/centrals/$central_id/restore" -XPOST -v 

# Restore should run through successful, after restore get the restored key

# To run tests locally run:
make db/teardown db/setup db/migrate
make ocm/setup OCM_OFFLINE_TOKEN=<ocm-offline-token> OCM_ENV=development
make verify lint binary test test/integration

[vladbologa]

LGTM!

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: johannes94, vladbologa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [johannes94,vladbologa]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[johannes94]

/retest