feat(storage): enable at-rest encryption on storage container

[andrewazores]

Welcome to Cryostat! 👋

Before contributing, make sure you have:

• Read the contributing guidelines
• Linked a relevant issue which this PR resolves
• Linked any other relevant issues, PR's, or documentation, if any
• Resolved all conflicts, if any
• Rebased your branch PR on top of the latest upstream main branch
• Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
• Signed all commits: git commit -S -m "YOUR_COMMIT_MESSAGE"

---

See cryostatio/cryostat#690

Description of the change:

Enables the cryostat-storage flag to turn on SeaweedFS at-rest data encryption.

Motivation for the change:

Improves data security and integrity by ensuring that at-rest files are encrypted. This is not a full solution because Seaweed stores the encryption/decryption key in the file metadata (so that the file can be decrypted later), and in our usage the metadata is stored on the same persistent volume as the encrypted file. So, any attack vectors where the attacker has direct access to the PV bypassing authn/authz checks or the S3 API will still allow the attacker to compromise the data.

How to manually test:

1. Build and deploy Operator with this PR
2. Create a Cryostat CR
3. Check the corresponding Cryostat Deployment or Pod definition and look for the env. var. REST_ENCRYPTION_ENABLE=1
4. Check the cryostat-storage container logs within the Pod and look for:

+ '[' 1 = 1 ']'
+ FLAGS+=("-filer.encryptVolumeData")
+ exec weed -logtostderr=true server -dir=/data -volume.max=40 -volume.fileSizeLimitMB=4096 -master.volumeSizeLimitMB=251 -master.volumePreallocate=false -filer.allowedOrigins=0.0.0.0 -filer.exposeDirectoryData=false -filer.disableDirListing -webdav=false -filer.encryptVolumeData -s3 -s3.config=/tmp/tmp.SJp8GVR95B

-filer.encryptVolumeData should be passed as an argument to the exec weed invocation.

[andrewazores]

/build_test

[github-actions]

/build_test completed successfully ✅.
View Actions Run.