feat(objectstore): enable objectstore auth if key is configured

[matt-codecov]

• upgrades objectstore-client to 0.0.15
• adds ObjectstoreConfig dataclass to config which can configure Objectstore signing key/token creation options
• creates an Objectstore TokenGenerator if config is provided

something to note: in INF-844 our secrets were provisioned with GCP Secret Manager. @rgibert says for now we have to mount them as files until secret syncing in the GCP SM CSI driver is GA, so that's what this PR does.

working with @rgibert to get these into launchpad's config. https://github.com/getsentry/ops/pull/18653 mounts the signing key as a file, next up i need to figure out where to inject these config values

[NicoHinderling]

lgtm but worth having @rbro112 take a look as well

[sentry]

Bug: Instantiations of the ServiceConfig dataclass in tests use the old objectstore_url parameter, which was removed, causing a TypeError when tests run.
_{Severity: HIGH}

Suggested Fix

Update all test instantiations of ServiceConfig to pass an ObjectstoreConfig instance to the new objectstore_config parameter instead of passing a string to the removed objectstore_url parameter.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: src/launchpad/service.py#L137-L142

Potential issue: The `ServiceConfig` dataclass was refactored to replace the
`objectstore_url` string parameter with a structured `objectstore_config:
ObjectstoreConfig` parameter. However, multiple test files
(`test_artifact_processor.py`, `test_kafka_service.py`) were not updated to reflect this
change. These tests continue to instantiate `ServiceConfig` using the old
`objectstore_url` keyword argument. Since this argument no longer exists on the
dataclass's `__init__` method, a `TypeError` will be raised at runtime when these tests
are executed, causing the test suite to fail.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[sentry]

Sentry Build Distribution

App Name	App ID	Version	Configuration	Install Page
Hacker News	com.emergetools.hackernews	1.0.2 (13)	Release	Install Build

[cursor]

Cursor Bugbot has reviewed your changes and found 3 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Unused import ObjectstorePermission in service module

Low Severity

Permission as ObjectstorePermission is imported in service.py but never referenced anywhere in the file. The Permission class is only used in utils/objectstore.py, where it's imported separately. This is dead code left over from development.

 

[cursor]

Global keyfile cache ignores path parameter changes

Low Severity

_read_keyfile uses a single module-level _cached_keyfile global that ignores the path parameter after the first successful read. If ever called with a different path (e.g., key rotation or tests), the stale cached content from the first call is returned. The cache is not keyed by path, making the function's contract misleading.

 

[cursor]

Key file content not stripped of trailing whitespace

Medium Severity

_read_keyfile passes the raw result of f.read() to TokenGenerator without stripping whitespace. The PR description states the signing key is mounted as a file via GCP Secret Manager CSI driver. File-mounted secrets commonly include a trailing newline, which would become part of the key material passed to TokenGenerator, likely causing token signing failures or invalid auth tokens in production.