feat(aggregator): Sign ancillary with GCP Kms

[Alenar]

Content

This PR add a new provider for signing ancillary files: GCP Kms.

Aggregator changes

• Add AncillarySignerWithGcpKms service
  • not automatically tested as this use a third party crate, gcloud_kms, so testing would mean providing a server that would mock Gcp Kms responses
  • it can be configured by setting the ANCILLARY_FILES_SIGNER_CONFIG configuration key like this:

{
  "type": "gcp-kms",
  "resource_name": "projects/project_name/locations/_location_name/keyRings/key_ring_name/cryptoKeys/key_name/cryptoKeyVersions/key_version"
}

• Add GcpCryptoKeyVersionResourceName to verify gcp kms resource name provided from the configuration when reading the configuration (else AncillarySignerWithGcpKms would fail when computing the signature, far after the aggregator start).
• Add tools::DEFAULT_GCP_CREDENTIALS_JSON_ENV_VAR constant to avoid repetitions of the GOOGLE_APPLICATION_CREDENTIALS_JSON env var name

Pre-submit checklist

• Branch
  • Tests are provided (if possible)
  • Crates versions are updated (if relevant)
  • CHANGELOG file is updated (if relevant)
  • Commit sequence broadly makes sense
  • Key commits have useful messages
• PR
  • All check jobs of the CI have succeeded
  • Self-reviewed the diff
  • Useful pull request description
  • Reviewer requested
• Documentation
  • Update documentation website (if relevant)
  • No new TODOs introduced

Issue(s)

Relates to #2362

[Copilot]

Pull Request Overview

This PR adds support for signing ancillary files using a key stored in Google Cloud Platform KMS. Key changes include:

• The implementation of a new signing service (AncillarySignerWithGcpKms) using the gcloud-kms crate.
• The addition of the GcpCryptoKeyVersionResourceName module to validate and parse GCP resource names.
• Updates to configuration, dependency injection, tests, and documentation to integrate GCP KMS as a new ancillary files signer.

Reviewed Changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
mithril-aggregator/src/tools/mod.rs	Added constant DEFAULT_GCP_CREDENTIALS_JSON_ENV_VAR
mithril-aggregator/src/services/snapshotter/ancillary_signer/with_gcp_kms.rs	New signer service implementation using GCP KMS client
mithril-aggregator/src/services/snapshotter/ancillary_signer/mod.rs	Updated module imports and re-exports
mithril-aggregator/src/services/snapshotter/ancillary_signer/gcp_kms_resource_name.rs	Added resource name validation and parsing logic
mithril-aggregator/src/file_uploaders/gcp_uploader.rs	Updated use of environment variable constant in uploader logic
mithril-aggregator/src/dependency_injection/builder/protocol/artifacts.rs	Integrated GcpKms variant for ancillary files signer configuration
mithril-aggregator/src/configuration.rs	Updated configuration and added tests for GCP KMS-related settings
mithril-aggregator/Cargo.toml	Added gcloud-kms dependency
internal/mithril-doc/src/markdown_formatter.rs	Updated newline formatting in markdown output
docs/website/root/manual/develop/nodes/mithril-aggregator.md	Updated ancillary files signer configuration documentation

[github-actions]

Test Results

    3 files  ±0     57 suites  ±0   11m 40s ⏱️ -14s
1 874 tests +7  1 874 ✅ +7  0 💤 ±0  0 ❌ ±0 
2 336 runs  +7  2 336 ✅ +7  0 💤 ±0  0 ❌ ±0 

Results for commit 3b8e596. ± Comparison against base commit f872829.

♻️ This comment has been updated with latest results.

[sfauvel]

LGTM

[dlachaume]

LGTM 👍

[dlachaume]

Would it make sense to use the constants declared just above?

[jpraynaud]

LGTM

[jpraynaud]

Suggested change

	DEFAULT_GCP_CREDENTIALS_JSON_ENV_VAR.to_string()
	DEFAULT_GCP_CREDENTIALS_KMS_JSON_ENV_VAR.to_string()

[jpraynaud]

We need 2 different variables if we want to use 2 different service accounts:

Suggested change

	if env::var(DEFAULT_GCP_CREDENTIALS_JSON_ENV_VAR).is_err() {
	if env::var(DEFAULT_GCP_CREDENTIALS_CLOUD_STORAGE_JSON_ENV_VAR).is_err() {