Credentials provided or generated when bootstrapping should not be rotated

[adutra]

Describe the bug

When bootstrapping a realm, either with the env var POLARIS_BOOTSTRAP_CREDENTIALS or using the admin tool, the provided secrets get rotated.

Because previous secrets are still valid, this works, but I would argue that that's a bad user experience: the user said they want secret A, and they get secret B, and it's B that gets printed to stdout (for in-memory metastores).

What is the reason for doing this rotation?

• If the secrets were randomly generated, rotating is meaningless
• If the secrets were provided by the user, rotating effectively overrides their instructions.

To Reproduce

No response

Actual Behavior

No response

Expected Behavior

No response

Additional context

No response

System information

No response

[eric-maynard]

@collado-mike, I recall we discussed this in my PR to use credential hashes

[collado-mike]

I don't recall the discussion, but I think that if the secrets are provided via env variables, they should not be rotated except by the user.

[adutra]

Is it OK to go ahead and fix this?

[eric-maynard]

I think so; if the rotation isn't intentional then we should try to get rid of it

[dimas-b]

re-opening per discussions in #1799