Lagoon-managed BaaS repository keys are not predictably generated

[cdchris12]

Describe the bug

After rotating some keys internally, we realized that all k8up repo passwords are generated using both the project's name and the lagoons's JWT secret, here:

lagoon/node-packages/commons/src/tasks.ts

Line 314 in b74abe8

var projectSecret = crypto.createHash('sha256').update(`${projectName}-${jwtSecret}`).digest('hex');

This means that rotating the JWT will cause the generated value to change, leading to restic passwords which are not generated deterministically. Because these passwords are not the expected value, restic fails to access the backup repository, leading to all operations involving the backup repository to fail (Backups, Prunes, Checks, and Restores)

Expected behavior

Lagoon should generate these repository passwords with a value which can be specified in order to ensure these passwords will not change with every JWT token renewal

[Schnitzel]

my suggestion would be to allow an env variable be injected into the api pods like PROJECT_SECRET_SALT which is used when specified, if not specified the JWTSECRET should be used (like it does today).