Feat/spiffe machine identity key encryption key rotation

[prbinu-nvidia]

Description

Adds site master encryption key (KEK) rotation for SPIFFE machine identity. Operators can change [machine_identity].current_encryption_key_id, re-wrap existing tenant_identity_config ciphertext via a new admin gRPC, and rely on envelope-embedded key_id instead of a redundant DB column.

• Drop per-row encryption_key_id — Migration removes the column; decrypt uses key_id in the AES-GCM envelope JSON; new encrypts use site current_encryption_key_id from config/secrets (machine_identity.encryption_keys).
• New Forge.ReencryptTenantIdentitySecrets RPC — Site-operator API (Forge Admin CLI) re-wraps encrypted_signing_key_1, encrypted_signing_key_2, and encrypted_auth_method_config for one org or all orgs; supports dry_run for validate-only runs.
• Response includes current_encryption_key_id — Echoes the site key used as the re-wrap target so dry-run output is self-explanatory (e.g. already on kv2 vs still on kv1).
• SQL hardening — Replace SELECT * / RETURNING * on tenant_identity_config with explicit column lists to avoid PostgreSQL “cached plan must not change result type” errors after schema migrations.
• Docs — Update docs/design/machine-identity/spiffe-svid-sdd.md (§3.1.1 KEK rotation workflow, API reference, proto.

Commits (#847)

Commit	Description
cc0376b97	Remove redundant DB encryption_key_id; envelope-driven decrypt
cdab38045	Inline SQL statements (review feedback)
8d7215e4c	Add ReencryptTenantIdentitySecrets API
3dc23c1df	Add current_encryption_key_id response field; SQL refactor; SDD

Key files

• crates/rpc/proto/forge.proto
• crates/api-core/src/handlers/tenant_identity_config.rs
• crates/api-core/src/machine_identity/crypto.rs
• crates/api-db/src/tenant_identity_config.rs
• crates/api-db/migrations/20260528120000_drop_tenant_identity_encryption_key_id.sql
• docs/design/machine-identity/spiffe-svid-sdd.md

Operator workflow (post-merge)

1. Add new key to Vault (machine_identity/encryption_keys/kv2); keep the old key.
2. Set current_encryption_key_id = "kv2" and restart carbide-api.
3. Call ReencryptTenantIdentitySecrets with dryRun: true, then dryRun: false.
4. Confirm currentEncryptionKeyId, rowsFailed: 0, and identity/sign RPCs still work.

Type of Change

• Add - New feature or capability
• Change - Changes in existing functionality
• Fix - Bug fixes
• Remove - Removed features or deprecated functionality
• Internal - Internal changes (refactoring, tests, docs, etc.)

Related Issues (Optional)

#847

Breaking Changes

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• No testing required (docs, internal refactor, etc.)

Additional Notes

#261 Epic

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4fa63c46-c792-4f5b-b090-531673b9ad6e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pull-request-2136.docs.buildwithfern.com/infra-controller