After the Gateway Secret rotation during RHCLOUD-23975, it was discovered that Turnpike does not have a method of supporting an Alternative Gateway Secret. Without supporting an Alternative Gateway Secret, there is an issue when a new Gateway Secret is pushed to Akamai. Turnpike validates the new Gateway Secret that is supplied to it from Akamai against the old Gateway Secret provided to it at run time. Whether Turnpike or Akamai is updated first with the new Gateway Secret, there is a possibility of downtime because there will be a mismatch between the Gateway Secret Turnpike uses to validate and what Akamai is providing it. 

The suggestion is to provide Alternative Gateway Secret support in Turnpike similarly to how we handle it with Gateway. Please note that the Alternative Gateway Secret is typically remote after Gateway Secrets have been rotated. So updated logic in Turnpike will need to be able to support the Alternative Gateway Secret being absent. 

Gateway/3scale - PSK Check:

• https://github.com/RedHatInsights/insights-3scale/blob/c186a432f5b4816be77f1d3f2b4a1e2cb6fdebc8/build/docker-assets/src/insights/server.lua#L44-L49

Turnpike - PSK Check:

• https://github.com/RedHatInsights/turnpike/blob/76a2a3f0cad4a6c7660ac61bc2a9b2072fea1f37/turnpike/plugins/x509.py#L30-L36 

Additionally, one this functionality has been added to Turnpike we will need to update the Turnpike section of the "Gateway - "gateway-secret" Rotation" doc to make use of the Alternative Gateway Secret