Support to specify custom key for encryption and decryption

[leochr]

Liberty uses a default key for encryption and decryption, but it can be overridden by wlp.password.encryption.key. Allow users to specify this and use it in operations such as LTPA key generation.

Allow users to optionally specify this key via a secret (i.e. wlo-wlp-password-encryption-key) When specified, this key should be specified as part LTPA key generation commands:

• securityUtility encode --key
• securityUtility createLTPAKeys --passwordKey

The key should also be specified in the server config so that LTPA key can be decrypted:

<variable name="wlp.password.encryption.key" value="yourKey" />

Validate that the server dump (Day 2 operation) doesn't leak this key: https://openliberty.io/docs/latest/password-encryption.html#_encryption_key_protection

[leochr]

Meeting summary (June 6, 2024):

• wlp.password.encryption.key variable will be used when it's specified to decrypt LTPA. There is no other way to specify a decrypt key for LPTA, so we must handle the decryption (and encryption) using this common variable that applies to the entire Liberty server.

• The mounting of the Secret wlo-wlp-password-encryption-key and the associated server configuration to read it must be enabled even when .spec.manageLTPA is not enabled.

• We should consider the mounting the sensitive information outside the configuration directory and instead referencing the location from the include server config. We should consider the same for the managedLTPA directory.

• When the Secret wlo-wlp-password-encryption-key is specified for the first time or when it is changed or removed, the managed LTPA key must be regenerated. We can use the resource version of the Secret to detect the change and trigger regeneration.

• Consider creating utils method in Operator to handle mounting of Secrets/ConfigMap and server configuration