Allow rotating most secrets

[sethvargo]

This isn't 100% complete, but it's about 95% toward GH-429. I'd eventually like to write a utility in tools/ that generates the secrets and puts them in Secret Manager so a human never sees them, but didn't want to muddle that with the actual docs/implementation.

Release Note

Add support for rotating HMAC and encryption keys

[sethvargo]

/assign @mikehelmick

[icco]

Mostly just nits and questions

[icco]

Could. you add a command to turn this from base64? Just to make this as dumb simple as possible to follow in case of a breach.

[sethvargo]

Not sure I understand. The openssl commands output base64, and the envvar accepts base64. Why would we want something that decodes it?

[icco]

oh, that's not how I read this. I thought this value was a base64 encoded value of an array of base64 strings.

[sethvargo]

Clarified.

[icco]

I like this a lot, I look forward to the tooling. Maybe add a TODO for that?

[sethvargo]

I was toying with the tooling yesterday. It's actually somewhat annoying because Terraform is managing the secret and the envvars.

[icco]

/lgtm

Thanks for clarifying!

[google-oss-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: icco, sethvargo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [icco,sethvargo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment