Adding session recording encryption key rotation to tctl

[eriktate]

This PR adds subcommands for rotating session recording encryption keys under tctl recordings encryption. They are rotate, status, complete-rotation, and rollback-rotation.

• rotate will start a rotation by provisioning a new key and adding it to the active set of encryption keys.
• status will print the state of each key along with its fingerprint.
• 'complete-rotation' will move the rotated key of an in-progress rotation into a RotatedKeys resource which makes it usable for replays
• 'rollback-rotation' will remove the new key in an in-progress rotation and reinstate the original key. Running rotate and rollback should ultimately result in no changes being applied.

There's also a fix for using manual_key_management from the fileconfig included.

$ tctl recordings encryption --help
usage: tctl recordings encryption <command> [<args> ...]

Manage encryption properties of session recordings.

Flags:
  -d, --[no-]debug     Enable verbose logging to stderr
  -c, --config         Path to a configuration file [/etc/teleport.yaml] for an Auth Service instance. Can also be set via
                       the TELEPORT_CONFIG_FILE environment variable. Ignored if the auth_service is disabled.
      --auth-server    Attempts to connect to specific auth/proxy address(es) instead of local auth [127.0.0.1:3025]
  -i, --identity       Path to an identity file. Must be provided to make remote connections to auth. An identity file can be
                       exported with 'tctl auth sign'
      --[no-]insecure  When specifying a proxy address in --auth-server, do not verify its TLS certificate. Danger: any data
                       you send can be intercepted or modified by an attacker.

Commands:
  recordings encryption rotate            Rotate encryption keys used for encrypting session recordings.
  recordings encryption status            Show current rotation status
  recordings encryption complete-rotation Completes an in-progress encryption key rotation.
  recordings encryption rollback-rotation Rolls back an in-progress encryption key rotation.

[rosstimothy]

This seems like it could cause problems if we forget to update this in response to any changes made to the types.SessionRecordingEncryptionConfig resource. Why is this needed?

[eriktate]

Fields with underscores were broken before I added this, so manual_key_management and proxy_checks_host_keys. If there's a way to get the yaml parser to use the json tags during unmarshaling, that would definitely be better

[rosstimothy]

@atburke any thoughts here regarding the yaml parser and json tags with _?

[atburke]

The yaml parser isn't seeing the json tags at all and is assuming camel case instead of snake case. I don't think any of our current yaml packages can handle mixed yaml and json tags within the same object; we'll have to either do what you're doing here or get goccy just for ReadConfig.