Work with LHDI to renew RDS certs expiring 12/1

[meganhicks]

In the last sprint, we identified that our RDS certificates are expiring soon. Although we are in the process of decommissioning the platform, we don't anticipate completion by 12/1. To be cautious, we’ve decided to renew the certificates. This ticket covers the work required for this renewal.

svc-bgs-api, svc-bie-kafka, and svc-bip-api all get the certificates from Vault secrets, which get written to keystore.p12 files on pod creation. Once the new certs are issued, they will need to be base64 encoded and have the keystore and keystore password secrets updated.

AC:

1. These certificates are renewed: a. va-abd-rrd-prod-tls b. va-abd-rrd-dev-tls c. va-abd-rrd-prod-test-tls
2. The new certificates and their passwords are uploaded to Vault
3. Pods are synced and restarted with the updated Vault secrets in prod-test and below a. prod will be updated in the next deployment

[brostk]

va-abd-rrd-dev-tls and va-abd-rrd-prod-test-tls have been updated and now expire in mid-December, 2025. svc-bip-api and svc-bgs-api have been restarted and validated as working from dev through prod-test.

va-abd-rrd-prod-tls has not been updated yet - this will occur either Wednesday 11/20 or Thursday 11/21 and include communication to partner teams. This will be treated as a deployment since there might be application downtime while the apps restart (this is minimal - a few seconds) to pull in the new secrets.

svc-bie-kafka and its keystore were not updated, as they were issued by a different authority and the keystore used by that app has been expired since September without it affecting the application health. It appears the certificate is unused in this app, so it was skipped.