Add encryption/decryption logic

[lakshmimsft]

This pr introduces a encryption subsystem, providing the core encryption logic along with comprehensive tests. The main changes include the implementation of a ChaCha20-Poly1305-based encryption module, key provider interfaces and implementations (for both Kubernetes and in-memory usage), and thorough unit and integration tests to ensure reliability and correct behavior.
ref: design doc

Encryption functionality:

• Implements the Encryptor type in encryption.go, providing methods for encrypting and decrypting data using ChaCha20-Poly1305 with support for associated data (AD) binding, and includes utility methods for key generation and encrypted data validation.

Key management:

• Defines the KeyProvider interface and provides two implementations in keyprovider.go: KubernetesKeyProvider (retrieves keys from Kubernetes Secrets with configurable options) and InMemoryKeyProvider (for testing and development), along with error handling for key retrieval and validation.

Testing and validation:

• Adds keyprovider_test.go with comprehensive tests for both key provider implementations, covering success and error cases.

Type of change

• This pull request adds or changes features of Radius and has an approved issue (Encryption/Decryption mechanism #11071 ).

Fixes: #11071

Contributor checklist

Please verify that the PR meets the following requirements, where applicable:

• An overview of proposed schema changes is included in a linked GitHub issue.
  • Yes
  • [] Not applicable
• A design document PR is created in the design-notes repository, if new APIs are being introduced.
  • Yes
  • [] Not applicable
• The design document has been reviewed and approved by Radius maintainers/approvers.
  • Yes
  • [] Not applicable
• A PR for the samples repository is created, if existing samples are affected by the changes in this PR.
  • Yes
  • Not applicable
• A PR for the documentation repository is created, if the changes in this PR affect the documentation or any user facing updates are made.
  • Yes
  • Not applicable
• A PR for the recipes repository is created, if existing recipes are affected by the changes in this PR.
  • Yes
  • Not applicable

[sk593]

This might only work for versions between 0-99. Might be worth using strconv.Itoa(version) so we don't run into errors if we update tests

[radius-functional-tests]

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details

Name	Value
Repository	radius-project/radius
Commit ref	d3e8f33
Unique ID	funcf0cfbdf5b2
Image tag	pr-funcf0cfbdf5b2

• gotestsum 1.13.0
• KinD: v0.29.0
• Dapr: 1.14.4
• Azure KeyVault CSI driver: 1.4.2
• Azure Workload identity webhook: 1.3.0
• Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-funcf0cfbdf5b2
• Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
• applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-funcf0cfbdf5b2
• dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-funcf0cfbdf5b2
• controller test image location: ghcr.io/radius-project/dev/controller:pr-funcf0cfbdf5b2
• ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-funcf0cfbdf5b2
• deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting corerp-cloud functional tests...
⌛ Starting ucp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded