feat(k8s): register system identities through cli command

[sigilioso]

Summary

Adds a register-system-identity subcommand to the Kubernetes CLI binary. This command provisions a New Relic system identity (client ID + private key) and stores it as a Kubernetes Secret, making it available for Agent Control to authenticate with Fleet Control. The operation is idempotent — if the secret already exists, it exits early without modifying anything.

This aligns the approach between k8s and on-host for System Identity provisioning, leveraging the CLI to do so in both cases, it also allows simplifying the corresponding job in the helm chart.

Notes for reviewers

• Identity Creation is not covered in e2e (we leverage an already existing System Identity). The approach has been manually using an updated helm-chart. Check out the corresponding draf-PR for details: [agent-control-deployment] use cli to register system identity [NR-537956] helm-charts#2189
• The provide_system_identity_secret function takes the identity provider as a parameter specifically to enable unit testing without hitting real auth endpoints (the k8s client is also taken as a parameter for the same purpose).
• A new comment has been added to the SystemIdentityArgs struct to clarify the broader tradeoff between arguments and sub-commands.
• The changes in the Tiltfile prepare everything for the new version but are supposed to be compatible with the current chart.

🚧 newrelic-auth-rs update

• After feat(k8s): register system identities through cli command #2378 (comment), a little refactor to avoid unnecessarily writing the private-key on System Identity generation.
• To do so an update in newrelic-auth-rs was needed, check feat: extract rsa key generation into public module newrelic-auth-rs#195
• We are currently pointing to main, but this won't be merged until the changes in newrelic-auth-rs are released

[gsanchezgavier]

Thanks! i left some doubts

[gsanchezgavier]

are we storing the pk in the fs and the reading it?

[sigilioso]

We are! Thanks for pointing out, I'm looking for alternatives to avoid it.

[sigilioso]

I finally changing by using a custom key::Creator for the k8s use-case (it actually doesn't create anything but it allow us referencing to the key pair without external components). LMKWYT.

[gsanchezgavier]

til

[gsanchezgavier]

thanks for addressing the comments!

[paologallinaharbur]

why can't it generate and return the key without storing it?
Would make sense to have a inMemoryCreator instead of the hack?

[sigilioso]

I started with a in-memory creator but it was adding complexity: the create() method would mutate the internal state and it would need to provide something to access to the private key.

[paologallinaharbur]

I am not sure this should have been public after all 😅
I think it would have been cleaner to have a inMemory creator

[sigilioso]

I agree but then I'd polish the Creator trait first. I'll leave it as it is for now and re-consider a future refactor for newrelic-auth-rs, if that's OK

[sigilioso]

We'll improve this in a PR on top of this after newrelic/newrelic-auth-rs#201 is merged

[sigilioso]

Addressed here: #2399 (there is no Creator anymore!)

[paologallinaharbur]

I have doubts regarding the keyHolder, but it is something internal, therefore I do not want to block it

[sigilioso]

Now that newrelic/newrelic-auth-rs#201 is ready, I'm working on a PR on top of this to simplify things. It should address: #2378 (comment)

[DavSanchez]

Are the closures required?

[DavSanchez]

Even with this case I'm not sure the closures are required.

[DavSanchez]

Needs rebase 🚀

[sigilioso]

Needs rebase 🚀

Rebased! Thanks!