[OpenBao] Environment-Provided Keys Auto-Unseal Method

Operationalizing OpenBao on Kubernetes is difficult without an auto-unseal mechanism. In all GitLab Kubernetes deployments, we assume a functioning k8s secrets API implementation. This means we have a parent root-of-trust we can chain OpenBao to, for auto-unseal using pre-provisioned, static encryption keys.

GitLab may lack RBAC permissions to create secrets, so we need to support explicitly created (e.g., human in the loop) secrets.

KMS and HSM will be preferable when supported in that environment.

---

This issue tracks the design, consensus, and implementation work for this upstream.

A sketch design is here: https://gist.github.com/cipherboy/de8f3738d9afaab60298ba9e97b1a906 and consensus from Dan Ghita has been given due to very similar need at a very similar time.