Operator-side: drops the Secret-as-volume mount entirely. The
operator pod consumes the entire `[credentials]` TOML block —
including the Zitadel JSON keyfile — through one
`valueFrom.secretKeyRef` env var
(`FLEET_OPERATOR_CREDENTIALS_TOML`). No volume, no mount, no
fsGroup, no `0o444` workaround. OKD restricted-v2 SCC compatible.
`OperatorCredentials` collapses to a single field:
pub credentials_toml: String // JSON keyfile inlined under key_json
`SECRET_KEY_ZITADEL_KEYFILE` and `KEYFILE_VOLUME_NAME` constants
removed — no longer used.
harmony-fleet-auth: `CredentialsSection::ZitadelJwt` gains
`key_json: Option<String>`. The factory prefers `key_json` when
non-empty, falls back to `key_path` otherwise. Agent (file-based,
`key_path` populated) keeps working unchanged. Operator (env-only,
`key_json` populated) skips the file read entirely. Tests cover
both shapes plus the default-key_path path.
Internal refactor: `load_machine_key` now delegates to
`parse_machine_key(&str)`, shared with the inline path.
fleet_e2e_demo bring-up rewires the credentials TOML it renders
to embed the JSON keyfile via `key_json = """..."""` instead of
`key_path = "..."`. The `OPERATOR_KEY_MOUNT_PATH` constant is gone
along with the now-unused mount logic. 7 callout tests + 19
fleet-auth tests still green.
Jean-Gabriel Gill-Couture
0bb32401a8