feat: reworked announce key flow and validation

[NamanBalaji]

This PR introduces a better flow for key operations starting with announce key and adds a validation package

• Announce key request is validated and if we are announcing on root or a root key then no job is created, otherwise a job is created
• If key already exists and is in In progress or completed stage we just return the existing key otherwise it's treated as a retry operation
• On the confirm side we check if we have the latest job ID if not we cancel the job because it's stale and don't modify the key entry
• If we are confirming the latest job we revalidate because there can be changes in the state and if validation passes we conform the job otherwise we cancel it and mark the key as failed so it can be retried.

Notes:

• On Agent side we don't need any validations as whatever the root sends is trusted. In future when we implement operations with higher prio like suspend a parent or ancestor or delete a parent etc we traverse down the subtree cancel all the in progress job for child keys and then perform our operation. So root acts as the orchestrator and agents just accept.
• For now announce is only possible when the parent is a direct parent of the key that's being announced and parent needs to be active, this can be changed in the future.

[jithinkunjachan]

Nice work

[jithinkunjachan]

Shall we have a integration test for this scenario where we announce key for a root agent

		resp, err := keyCli.AnnounceKey(ctx, &keypb.AnnounceKeyRequest{
			TenantId:   tenantID,
			Kind:       "K1",
			Name:       keyName,
			ParentId:   parentID,
			TargetName: "root",
			Labels:     map[string]string{"cloud": "aws"},
		})

[jithinkunjachan]

In the integration test we don't have root segment but here we have it. IMHO If config are wrong we might have some problems so lets be consistent.
Cause now if we remove the root from the topology

			{Name: testRootName, Segment: spec.HierarchySegment{StartKind: "K0", EndKind: "K0"}},

as we make it similar to the integration test config the test fails for the validation for announcekey(key_service_test.go:76).

krypton/integration/helpers_test.go

Lines 127 to 149 in 8c7ee07

	topology:
	segments:
	- name: %s
	segment:
	start_kind: K2
	end_kind: K3
	key_bindings:
	K2:
	vault:
	name: agent-vault
	type: in-memory
	config:
	prefix: agent-tek
	parent_key_provider:
	agent_name: root
	K3:
	vault:
	name: agent-dek-vault
	type: in-memory
	config:
	prefix: agent-dek
	selector_labels:
	cloud: aws

[NamanBalaji]

Good catch, I fixed it.

[jithinkunjachan]

Currently AnnounceKeyRequest don't have --target-selector field will this be added in subsequent PR Or we go for lean approach for the time being.

[NamanBalaji]

Yes I was unsure how that will work currently we are using the target name for that. Ideally if we use something like labels we would need to figure out which labels match which agents and then find the agent where the announce will be valid, and then resolve the tasks. This can be done in a future ticket.

[jithinkunjachan]

Nice Job

[jithinkunjachan]

good check