[Rake] OpenBao Recovery Key Generation

Why are we doing this work

OpenBao requires recovery keys for emergency access when the primary authentication method (OIDC) is unavailable. Currently, there's no user-friendly way for administrators to generate and validate these recovery keys in GitLab.

Proposal

Create a Rake task that allows to:

1. Generate OpenBao recovery keys by calling the API with a non-zero value.
2. Validate that the generated keys work properly.

See also [Rails] OpenBao Recovery Key Generation (#570943) for implementing the same in the GitLab UI.

Relevant links

• Associated with #570943
• OpenBao API - Rotate Init Documentation
• OpenBao API - Rotate Verify Documentation

Non-functional requirements

• Documentation: Appropriate rake task documentation.
• Feature flag: secrets_manager
• Performance: This is a relatively simple rake task that makes less than 10 HTTP requests. Does not require performance testing.
• Testing: See verification steps below.

Implementation plan

MR 1:

• Create a new database model, SecretsManagement::RecoveryKey, which has the appropriate fields as required. These should be the useful fields returned by the /sys/rotate/recovery/init endpoint. Data should be encrypted as a secret.

MR 2:

• Create a new rake task, as well as tests as documented here Testing Rake tasks. I've not found an existing file that would be suitable, so potentially we can create a new task under lib/tasks/gitlab/openbao. Maybe /ee/lib/tasks/gitlab/secrets_management/openbao.rake
• This task should only run if secrets_manager FF is enabled.
• Utilise this rake task to invoke the API. We will need to modify ee/lib/secrets_management/secrets_manager_client.rb and invoke from the rake task.
• Specifically, we need to make a POST to /sys/rotate/recovery/init. Code & documentation.
• Store the secret in the newly created model.

Required parameters:
    secret_shares: NA? need to pass 0.
    secret_threshold: NA? not used by code as far as I can see.
    pgp_keys: nil
    backup: false
    require_verification: false

Discussion below.

Verification steps

1. Verify this task locally in GDK. Ensure we have a successful rotation of recovery keys.