go/worker/keymanager: Optimize enclave initialization

Enclave initialization was moved into its own goroutine to avoid blocking
the main loop of the key manager worker. Once initialization is completed,
the resulting state of the enclave is compared to the latest key manager
status. If the latter has changed, initialization is performed again.

This will be useful when we deploy master secret rotation since new secrets
may be generated while old secrets are being replicated which can result
in an outdated state once initialization finishes.

.changelog/5218.internal.md

@@ -0,0 +1,10 @@
+go/worker/keymanager: Optimize enclave initialization
+
+Enclave initialization was moved into its own goroutine to avoid blocking
+the main loop of the key manager worker. Once initialization is completed,
+the resulting state of the enclave is compared to the latest key manager
+status. If the latter has changed, initialization is performed again.
+
+This will be useful when we deploy master secret rotation since new secrets
+may be generated while old secrets are being replicated which can result
+in an outdated state once initialization finishes.

go/worker/keymanager/init.go

@@ -42,25 +42,25 @@ func New(
 	ctx, cancelFn := context.WithCancel(context.Background())
 
 	w := &Worker{
-		logger:               logging.GetLogger("worker/keymanager"),
-		ctx:                  ctx,
-		cancelCtx:            cancelFn,
-		stopCh:               make(chan struct{}),
-		quitCh:               make(chan struct{}),
-		initCh:               make(chan struct{}),
-		updateStatusTickerCh: nil,
-		clientRuntimes:       make(map[common.Namespace]*clientRuntimeWatcher),
-		accessList:           make(map[core.PeerID]map[common.Namespace]struct{}),
-		privatePeers:         make(map[core.PeerID]struct{}),
-		accessListByRuntime:  make(map[common.Namespace][]core.PeerID),
-		commonWorker:         commonWorker,
-		backend:              backend,
-		enabled:              enabled,
-		mayGenerate:          config.GlobalConfig.Keymanager.MayGenerate,
-		loadSecretCh:         make(chan struct{}, 1),
-		genSecretCh:          make(chan struct{}, 1),
-		genSecretDoneCh:      make(chan bool, 1),
-		genSecretHeight:      int64(math.MaxInt64),
+		logger:              logging.GetLogger("worker/keymanager"),
+		ctx:                 ctx,
+		cancelCtx:           cancelFn,
+		stopCh:              make(chan struct{}),
+		quitCh:              make(chan struct{}),
+		initCh:              make(chan struct{}),
+		clientRuntimes:      make(map[common.Namespace]*clientRuntimeWatcher),
+		accessList:          make(map[core.PeerID]map[common.Namespace]struct{}),
+		privatePeers:        make(map[core.PeerID]struct{}),
+		accessListByRuntime: make(map[common.Namespace][]core.PeerID),
+		commonWorker:        commonWorker,
+		backend:             backend,
+		enabled:             enabled,
+		mayGenerate:         config.GlobalConfig.Keymanager.MayGenerate,
+		initEnclaveDoneCh:   make(chan *api.SignedInitResponse, 1),
+		loadSecretCh:        make(chan struct{}, 1),
+		genSecretCh:         make(chan struct{}, 1),
+		genSecretDoneCh:     make(chan bool, 1),
+		genSecretHeight:     int64(math.MaxInt64),
 	}
 
 	if !w.enabled {

go/worker/keymanager/status.go

@@ -57,6 +57,11 @@ func (w *Worker) GetStatus(ctx context.Context) (*api.Status, error) {
 		al = append(al, ral)
 	}
 
+	var pc []byte
+	if w.enclaveStatus != nil {
+		pc = w.enclaveStatus.InitResponse.PolicyChecksum
+	}
+
 	es := api.EphemeralSecretStats{
 		NumLoaded:     w.numLoadedSecrets,
 		LastLoaded:    w.lastLoadedSecret,
@@ -72,7 +77,7 @@ func (w *Worker) GetStatus(ctx context.Context) (*api.Status, error) {
 		AccessList:       al,
 		PrivatePeers:     ps,
 		Policy:           w.policy,
-		PolicyChecksum:   w.policyChecksum,
+		PolicyChecksum:   pc,
 		EphemeralSecrets: es,
 	}