feat: introduce jwks

[aldbr]

Goes from using a single key to sign/verify tokens to setting up a jwks following RFC 7517.

Introduces 2 new diracx-logic commands:

• generate a new key and rotate the JWKS: the new key can sign/verify tokens, the old one(s) can only verify tokens.
• delete a given key from the JWKS

Note: I have switched from authlib to joserfc to manipulate JWK and JWT as recommended in the official documentation: https://docs.authlib.org/en/latest/jose/index.html#jose-guide

It comes with the following PRs:

• feat: replace single key by a jwks in docker-compose DIRAC#8188
• feat: replace authlib with joserfc container-images#33
• feat: add keystore init container diracx-charts#151

Migration Plan (LHCb-only I think)

1. Get the private key

kubectl exec -it diracx-<pod_id> -- cat /signing-key/rsa256.key > rsa256.key

2. Import in a JWKS

import json
from joserfc.jwk import RSAKey, KeySet
from uuid_utils import uuid7


with open("rsa256.key") as f:
    key = RSAKey.import_key(
        f.read(),
        {
            "key_ops": ["sign", "verify"],
            "alg": "RS256",
            "kid": uuid7().hex, 
        }
    )
    
jwks = KeySet([key])

with open("jwks.json", "w") as f:
    json.dump(jwks.as_dict(private=True), f, indent=2)

3. Rotate the key (generate a new one)

python -m diracx.logic rotate-jwk --jwks-path jwks.json

4. Modify values.yaml to disable to keystore generation:

helm get values diracx -o yaml > values.yaml

initKeyStore:
  enabled: false

5. Generate the secret

kubectl create secret generic diracx-jwks \
  --namespace=$namespace \
  --from-file=jwks.json \

Once the update is done, the content of the secret is expected to be copied in jwks.json and read by diracx.

[aldbr]

Of course we have a chicken-and-egg issue because the repos depend on each other.

• I will make that PR compatible with the current approach (single key), this is only required for the tests
• I will add authlib back to container-images, along with joserfc for now

From there, we can:

• Merge feat: replace authlib with joserfc container-images#33
• I make a quick test with the certification environment by applying this branch, just to make sure the migration plan works fine.
  • test on diracx-cert: get an access token using the single key, update the pod, try to interact with the instance with the access token (the instance is now using a jwks with the content of the key)
  • test locally: follow the migration plan with the new helm chart
• I follow the same procedure to create the keystore secret in lhcb-diracx instances to be ready
  • secrets are in place
  • the keystore initialization is disabled in values.yaml
• Merge this PR
• Merge feat: add keystore init container diracx-charts#151 and feat: replace single key by a jwks in docker-compose DIRAC#8188 (they should pass the CI)
• I will then remove authlib from the dependencies in container-images and the compatibility with the single key in diracx.

The deployed instances should fetch the keystore instead of the single key and that should work transparently.