[OpenBao] Facilitate namespace migration tooling

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

This may require upstream design tasks. Presumably cell architecture will require unique encryption keys to each cell.

Some ideas:

• With namespace locking, we can ensure no requests to a tenant come in. Subsequently, we could use something similar to parallel unseal for namespace seals to re-encrypt the root key of the namespace for the target cell cluster's asymmetric key. A PostgreSQL-level data migration may subsequently occur and the dangling namespace be both removed from storage and imported to the new storage location. This latter step may require namespace surgery or an upstream mechanism to support out-of-band moving (e.g., sys/namespaces/<path>/prepare-for-move which writes the namespace entry from this mount into the namespace storage, which the new cluster would detect and load after data migration is complete).
• Alternatively, an exportable storage bundle could be created, encrypted with a one-time asymmetric key from the remote cluster. How to authenticate this is not clear. But, this would enable operators to lock, export, import, and delete from the first cluster. This may cause leases to be revoked, which may or may not be problematic.