✨ feat(VSecM Safe): #460 Manual Root Key Updates K8s Secret

[gurkanguray]

Manual Root Key Updates K8s Secret

Description

VSECM_MANUAL_ROOT_KEY_UPDATES_K8S_SECRET env variable added for giving an option to updating internal k8s secrets when manual root key provided.

Changes

• Renamed app/safe/internal/privates.go to app/safe/internal/bootstrap/persist.go since we use this function in the app/safe/internal/server/route/receive.go to persist keys with the manual root key. Therefore, it's not private to bootstrap anymore.
• Added VSECM_MANUAL_ROOT_KEY_UPDATES_K8S_SECRET to core/safe.go with its unit tests.
• Added VSECM_MANUAL_ROOT_KEY_UPDATES_K8S_SECRET information details to docs/_pages/0110-configuration.md file

Test Policy Compliance

• I have added or updated unit tests for my changes.
• I have included integration tests where applicable.
• All new and existing tests pass successfully.

Code Quality

• I have followed the coding standards for this project.
• I have performed a self-review of my code.
• My code is well-commented, particularly in areas that may be difficult
  to understand.

Documentation

• I have made corresponding changes to the documentation (if applicable).
• I have updated any relevant READMEs or wiki pages.

Checklist

Before you submit this PR, please make sure:

• You have read the contributing guidelines and
  especially the test policy.
• You have thoroughly tested your changes.
• You have followed all the contributing guidelines for this project.
• You understand and agree that your contributions will be publicly available
  under the project’s license.

By submitting this pull request, you confirm that my contribution is made under
the terms of the project’s license and that you have the authority to grant
these rights.

---

Thank you for your contribution to VMware Secrets Manager
🐢⚡️!

[v0lkan]

We don’t need the checks in the first if.

The user can change the key (at their own risk) if they want to.

"manual mode" is only for the bootstrapping flow.

Can we replace it with this, please?

	if env.ManualRootKeyUpdatesKubernetesSecret() {
 		if err := bootstrap.PersistKeys(agePrivateKey, agePublicKey, aesCipherKey); err != nil {
 			log.ErrorLn(&cid, "Keys: Problem persisting keys", err.Error())
 		}
 	}

[v0lkan]

Can we add a comment here?

Something like:

// Save the key to VSecM Safe's memory, and also save them to 
// VSecM Safe's root key Kubernetes Secret.
// If the root key input mode is not manual, VSecM Safe will
// use a trusted backing store to retrieve the key in case of
// Pod crash or eviction. As of Mar,17, 2024 the only trusted
// backing store is the VSecM root key Kubernetes Secret; however
// this will change in the future.
if err = PersistKeys(privateKey, publicKey, aesSeed); err != nil {

[v0lkan]

Reasoning: I always forget why we didn’t do a "IsManualRootKeySavedAsK8sSecret()" check here; so it’s reminder to me, and also anyone who thinks the same too :) .

[v0lkan]

Two relatively straightforward comments and change requests.

Other than that, it looks good.

Thanks for your contribution 🚀 .

[v0lkan]

This has been waiting for a while; I’ll merge it and add the necessary changes afterwards maybe.

[v0lkan]

What I’ll do.

1. run tests on main
2. if they pass, I’ll merge this and run tets.
3. if they pass, I’ll do a tiny amend and repeat (2)
4. if either fails, I’ll revert.