[OpenBao] Inline, Write-less Authentication

OpenBao's authentication incurs writes to the following storage entires:

The token store:

sys/token/id/{id}
sys/token/accessor/{accessor}

The expiration manager:

sys/expire/id/auth/{mount_uuid}/login/{id}

These are also read on leadership change to check for necessary revocations. Because there is no schema (besides K/V), it is hard to generally optimize this.

Further, when horizontal scalability lands, we need to be able scale across these nodes; login requests would incur a write and thus cannot be handled by standby nodes and must be forwarded to the single active node, limiting scalability only to subsequent use.

For a CI access pattern, this becomes difficult.

Thus, we need inline, write-less authentication flows for OpenBao and need them to be consumed by Runner and Rails.

A design document with proof of concept is available here: https://gist.github.com/cipherboy/941d5cdab88705f290a0824b986fb62e

This includes a proof of concept so the scope of this ticket is design, consensus, and implementation.

This will likely be delayed until OpenBao v2.4.0.

Edited May 07, 2025 by Alex Scheel