[Runner] Utilize OpenBao's Inline Authentication
See inline auth issue for context.
Once implemented and landed in openbao-internal, we should make the change to Runner to support the change. This will require two parts:
- A Rails-indicated inline authentication sentinel, informing the Runner/job that the OpenBao instance supports it (trivially true, but we need to differentiate from the existing Vault auth).
- Updating Runner to conditionally not perform actual authentication but to only do inline authentication based on server indication.
This requires coordination with the Runner team to ensure we can land this change.
The impact of not having this is rather large performance overhead on calls to OpenBao from CIs configured to use our secrets manager. Regarding backwards compatibility, we have not shipped OpenBao so will not need to worry about OpenBao upgrades. And, any old Runner versions which use regular auth will still function (assuming they don't panic on unknown value from Rails), and will perform regular legacy auth which incurs writes.
Regardless, if OpenBao is shipped without inline auth support but later upgraded, the work in #540910 (closed) should give us online status of if inline auth is supported, so we can correctly tell the Runner either way.