Set up Vault integration for chatops credentials storage

Context

Part of implementing chatops for background migration management as described in #1432 (comment 2796405262)

As noted in https://gitlab.com/gitlab-com/gl-security/product-security/product-security-engagements/product-security-requests/-/issues/31#note_2658406644, we cannot store PostgreSQL credentials in GitLab's masked variables as they are not secure enough. We need to set up Vault integration instead.

Objective

Configure Vault integration to securely store and retrieve PostgreSQL credentials for chatops-triggered background migration management across all environments.

Documentation

• External Secret Storage Handbook
  • Vault setup runbook - may be more clear than the one above: https://runbooks.gitlab.com/vault/usage/
• Clarification requested: https://gitlab.slack.com/archives/C248YCNCW/p1759505649169159
• Alternative (1Password): https://gitlab.slack.com/archives/C248YCNCW/p1759506631723979

Tasks

• Clarify the documentation with @cmaxim so that we can use it to set up Vault for our team/CI-CD
  • if Vault setup runbook is good enough, we may not need it after all.
• Set up Vault according to the docs
• Test credential retrieval from Vault in a test CI job

Notes

• Main challenge: Ensuring documentation is clarified and properly understood
• Need to coordinate with CorpSec team for guidance on Vault setup
• Alternative of using 1Password could be explored but Vault seems to be the recommended approach. Worth exploring though

Related Issues

• Parent issue: #1432 (closed)
• Infrasec review: https://gitlab.com/gitlab-com/gl-security/product-security/product-security-engagements/product-security-requests/-/issues/31
• Corpsec issue: https://gitlab.com/gitlab-com/gl-security/corp/issue-tracker/-/issues/2530

Dependencies

• Requires PostgreSQL user credentials from the database user creation issue
• Blocks the CI job creation work