feat: create and mount db encryption key

[mxyng]

Summary

When creating a server deployment, if a DB encryption key isn't supplied, create one as a kubernetes secret and mount it into the server pod. This is nicer than the existing default which is to create an encryption key in the pod itself which is only persisted if the key is in the path of a PVC.

It removes a dependency on PVCs. Once this is merged, the only remaining dependency is the database.

Note: This is a breaking change since it discards the previous encryption. Manual steps are required to ensure the continued viability of the data.

TODO

• [x] add migration steps

Before attempting an upgrade from <=0.14.x, follow the steps below to migrate the encryption key if using Helm release name infra and namespaces infrahq:

$ ENCRYPTION_KEY=$(mktemp)
$ kubectl -n infrahq exec -i deployment/infra-server -- cat /var/lib/infrahq/server/sqlite3.db.key >$ENCRYPTION_KEY
$ kubectl -n infrahq create secret generic infra-server-encryption-key --from-file=key=$ENCRYPTION_KEY
$ kubectl -n infrahq annotate secret infra-server-encryption-key meta.helm.sh/release-name=infra meta.helm.sh/release-namespace=infrahq
$ kubectl -n infrahq label secret infra-server-encryption-key app.kubernetes.io/managed-by=Helm
# upgrade as usual and verify the upgrade. once the upgrade is complete, remove $ENCRYPTION_KEY

[mxyng]

Can you link the values file you're using? I haven't seen this locally with either the default values or my local values

[mxyng]

I'm going to hold off on this until there's more breaking changes we can bundle together.