Deploy gitlab-openbao CNG image on Runway

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Work on this issue

Why are we doing this work

We should deploy the gitlab-openbao image built by the GitLab CNG project for consistency and to reduce maintenance.

As a result of this change, gitlab-secrets-manager-container tracks the latest gitlab-openbao image. It no longer pins a specific version of OpenBao, as this is the case today:

• https://gitlab.com/gitlab-org/govern/secrets-management/gitlab-secrets-manager-container/-/blob/a5ba1b89aec87b3999785056cc0ccd8d53e6dbc6/Makefile#L2
• https://gitlab.com/gitlab-org/govern/secrets-management/gitlab-secrets-manager-container/-/blob/a5ba1b89aec87b3999785056cc0ccd8d53e6dbc6/Dockerfile#L4

Relevant links

• Add Containers for OpenBao (gitlab-org/build/CNG!2659 - merged)

Non-functional requirements

• Documentation: Update README of Runway project: https://gitlab.com/gitlab-org/govern/secrets-management/gitlab-secrets-manager-container
• Feature flag:
• Performance:
• Testing:

Implementation plan

Update https://gitlab.com/gitlab-org/govern/secrets-management/gitlab-secrets-manager-container project to use gitlab-openbao image.

• Select image (UBI-based or not).
• Update Runway deployment project.
  • CI config
  • Makefile
  • README

Verification steps

After updating the build,

• Deploy to staging using Runway.
• Check OpenBao logs. Make sure it's running.

Repeat on production.

/cc @ken.mcdonald @cipherboy-gitlab