Initial libsodium encryption of secrets

[cloudnautique]

This adds the basics for encryption of secret data on a per-cluster acorn user namespace basis. There is a convenience call to bulk encrypt a message for multiple targets given a list of public keys. The implementation leverages libsodium sealed boxes where the nonce is a computed blake2b hash value of the sender and recipient's public keys.

On startup of Acorn, the cluster will generate a public/private key pair for the default namespace and store it in a K8s secret in the acorn-system namespace. The key pair is available as a base64 encoded string in the acorn info command under the "namespace" top level key.

Users can encrypt a message for the current namespace by running:

acorn secret encrypt MSG

or

acorn secret encrypt --public-key <ns A pubkey> --public-key <ns B pubkey> MSG

The output can be placed in an Acornfile, passed as an argument to an Acorn image or provided by an existing secret at Runtime.

The format of an encrypted secret is:

ACORNENC:base64encode({"publicKey":"base64encode(ciphertext)", "publicKey":"base64encode(ciphertext)"})

This allows for the same message to be encrypted and passed to multiple clusters. Each cluster will look up the ciphertext in the map by it's own public keys. An error will be returned if there isn't a key that can decrypt the value.

Signed-off-by: Bill Maxwell [email protected]