feat(objectstore): enable objectstore auth if key is configured

[matt-codecov]

• upgrades objectstore_client to 0.0.15
• adds optional UploadServiceAuthConfig struct which can configure Objectstore signing key/token creation options
• creates an Objectstore TokenGenerator if config is provided

two things to note:

• in INF-844 our secrets were provisioned with GCP Secret Manager. @rgibert says for now we have to mount them as files until secret syncing in the GCP SM CSI driver is GA, so that's what this PR does.
• the TODOs can be removed after fix(rust-client): re-export objectstore_types::Permission as part of API objectstore#256 merges and i release a new client version. just wanted to get feedback on the rest of the PR first.

Legal Boilerplate

Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.

[jjbayer]

Is there a difference between None and the empty set here? I.e. None means all permissions, empty set means no permissions at all? If not, we could remove the option.

[jjbayer]

Come to think of it, should the permissions of this client really be configurable? I assume that Relay would always need the same set of permissions to function correctly, so I would hard-code them instead of putting them in the config.

[matt-codecov]

None is taken to mean "we don't set it, use the client default" whereas empty set means "create tokens with no permissions"

you are right that relay will generally use a single set of permissions, and if that changes it might be something that is overridden when creating a session. either way i need to expose the Permission type for y'all to reference, but if y'all are fine with hardcoding i can remove this permission config

[jjbayer]

Yes I'm fine with removing the config.

[jjbayer]

nit: https://develop.sentry.dev/ingestion/relay/relay-best-practices/#data-structures

Suggested change

	pub permissions: Option<HashSet<String>>,
	pub permissions: Option<BTreeSet<String>>,

[jjbayer]

Didn't test this but it must be possible to not clone here:

Suggested change

	secret_key: std::fs::read_to_string(auth.key_file.clone())?,
	secret_key: std::fs::read_to_string(&auth.key_file)?,

[jjbayer]

Suggested change

	/// A file where the JWT private key content is located, in EdDSA PEM form.
	/// Path of the JWT private key file, in EdDSA PEM form.

[jjbayer]

Suggested change

	pub key_file: String,
	pub key_file: PathBuf,

[Dav1dde]

14 additional dependencies, but I guess that's not avoidable.

[Dav1dde]

Is kid something objectstore uses a lot? If not for consistency I'd prefer key_id, key_file, key_{...}.

[matt-codecov]

it's the name of the JWT header field. key_id is probably clearer in code, you're right

[Dav1dde]

@matt-codecov With #5531 Relay's config can transparently load values from files, meaning you can just expect the config variable to contain the key as a String.

Example ${file:/path/objectstore.key}:

relay/tests/integration/test_config.py

Lines 55 to 68 in e98cd49

	def test_variable_loaded_from_file(mini_sentry, relay):
	tmp = tempfile.NamedTemporaryFile(delete_on_close=False)
	tmp.write(b"1B")
	tmp.close()
	relay = relay(
	mini_sentry,
	options={
	"limits": {"max_event_size": f"${{file:{tmp.name}}}"},
	},
	)
	with pytest.raises(HTTPError, match="413 Client Error"):
	relay.send_event(42)