CH-224: Gatekeeper update

[alxbrd]

Closes CH-224

Implemented solution

Sets enable-encrypted-token: false
Introduces configurable gk encryption key secret.
Updates to gk 4.6.0

How to test this PR

...

Sanity checks:

• The pull request is explicitly linked to the relevant issue(s)
• The issue is well described: clearly states the problem and the general proposed solution(s)
• In this PR it is explicitly stated how to test the current change
• The labels in the issue set the scope and the type of issue (bug, feature, etc.)
• The relevant components are indicated in the issue (if any)
• All the automated test checks are passing
• All the linked issues are included in one Sprint
• All the linked issues are in the Review state
• All the linked issues are assigned

Breaking changes (select one):

• The present changes do not change the preexisting api in any way
• This PR and the issue are tagged as a breaking-change and the migration procedure is well described above

Possible deployment updates issues (select one):

• There is no reason why deployments based on CloudHarness may break after the current update
• This PR and the issue are tagged as alert:deployment

Test coverage (select one):

• Tests for the relevant cases are included in this pr
• The changes included in this pr are out of the current test coverage scope

Documentation (select one):

• The documentation has been updated to match the current changes
• The changes included in this PR are out of the current documentation scope

Nice to have (if relevant):

• Screenshots of the changes
• Explanatory video/animated gif

[Copilot]

Pull request overview

Updates the Helm Gatekeeper deployment configuration to align with CH-224 by changing Gatekeeper runtime settings and bumping the default Gatekeeper image version.

Changes:

• Adds Gatekeeper config options (enable-encrypted-token: false) and introduces an encryption-key value sourced from harness.secrets.gatekeeper.
• Updates the default Gatekeeper container image to quay.io/gogatekeeper/gatekeeper:4.6.0.
• Adjusts the application value template to include a harness.secrets.gatekeeper entry.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
deployment-configuration/value-template.yaml	Adds a default harness.secrets.gatekeeper key to app config template.
deployment-configuration/helm/templates/auto-gatekeepers.yaml	Updates Gatekeeper proxy config generation and bumps default Gatekeeper image version.

[Copilot]

encryption-key is rendered into a ConfigMap (proxy.yml), which means the key is stored in plaintext and readable to anyone with ConfigMap access. If this key is meant to be secret (as implied by “encryption key”), it should come from a Kubernetes Secret (e.g., via env var secretKeyRef or mounting a Secret file) rather than being embedded in a ConfigMap.

Suggested change

	encryption-key: {{ .app.harness.secrets.gatekeeper | default (randAlphaNum 20) | quote }}
	encryption-key: ${GATEKEEPER_ENCRYPTION_KEY}

[Copilot]

Defaulting encryption-key with randAlphaNum 20 makes the rendered manifest non-deterministic across helm upgrade / re-renders. If encrypted tokens are enabled in any environment, this will rotate the key unexpectedly and can invalidate tokens (and may lead to inconsistent behavior across replicas). Prefer a stable source (e.g., require an explicit value, or derive it from an existing Secret via lookup).

Suggested change

	encryption-key: {{ .app.harness.secrets.gatekeeper | default (randAlphaNum 20) | quote }}
	encryption-key: {{ required "app.harness.secrets.gatekeeper (encryption-key) must be set" .app.harness.secrets.gatekeeper | quote }}

[Copilot]

Adding harness.secrets.gatekeeper to the base value-template.yaml means every generated app config will have a non-empty harness.secrets map by default. In Helm, this will cause helm/templates/auto-secrets.yaml to start creating a Kubernetes Secret for all apps (even when harness.secured: false), which is a behavior change and adds unnecessary resources. Consider keeping secrets: {} as the default and only adding the gatekeeper secret key when an app is actually secured (or generate/attach it conditionally in the gatekeeper template).

Suggested change

	secrets:
	gatekeeper:
	secrets: {}