Add Master OpenBao Instance

[norbertgruszka]

The OpenBao service supports an autounseal configuration. To enable proper end-to-end testing of this feature, a new target has been added to kindev: the Master OpenBao Instance.

What's included:

• Master OpenBao Instance — a dedicated OpenBao instance that self-initializes via a Kubernetes Job on startup
• Credentials storage — the root token is saved to the master-openbao-init-credentials Secret after initialization
• Transit engine setup — the init Job also configures a transit engine, which is required for autounsealing of other OpenBao clusters
• Documentation — an included README.md provides step-by-step instructions for generating a new token for autounseal use

[Kidswiss]

It's mostly just nits.

[Kidswiss]

Idea: let's introduce a vshnopenbao and add it to vshnall.

[norbertgruszka]

sounds good to me, I renamed master-openbao to vshnopenbao. The service name convention matches other services now.

[Kidswiss]

Haven't done bao in a while, but this will create a periodic token, that will keep itself from expiring if it's used within the specified period, right?

I'd bump that up to 100h or something for the dev instance, otherwise we'd have to re-generate tokens again after a weekend.

[norbertgruszka]

We can make it indefinite with

bao token create -orphan -policy="autounseal" -no-default-policy -format=json > auto-unseal.json

so it never expires. I just added updated command to README.md

[Kidswiss]

Just to be sure 100:1000 is not a typo?

[norbertgruszka]

should be correct, I think those are default values for UID and GID in OpenBao Helm Chart.

[Kidswiss]

Maybe a target to renew the unseal token manually would be nice.

[norbertgruszka]

I'd keep it in README.md for now. Let's see how often it is used and maybe then we can add it as a target?