feat(openbao): add install openbao command

[Jcing95]

Summary

Adds oms install openbao — a Day-0 bootstrap command for OpenBao using the Bank-Vaults Operator with SOPS-encrypted DR backups (no external KMS required).

What it does

• Deploys Bank-Vaults Operator via Helm, applies a Vault CR with userpass auth and KV-v2
• Uses Raft storage with persistent volumes for all replica counts (including single-node)
• Waits for init, extracts unseal keys + credentials, encrypts to a SOPS/age DR backup
• On re-run, restores from existing DR backup (idempotent), reusing original credentials
• Root token is never persisted to the cluster (storeRootToken: false); bank-vaults derives temporary root tokens from unseal keys via the Generate Root Token protocol

Other changes

• Helm client refactored to per-call settings (fixes namespace scoping, adds OCI support)
• GvrForUnstructured extended with explicit cases for Vault CR template kinds (ServiceAccount, Role, RoleBinding, Vault)
• DecryptFileWithSOPS helper added
• PVC storage size configurable via --storage-size flag

[Copilot]

Pull request overview

Adds a new oms install openbao subcommand that bootstraps OpenBao via the Bank-Vaults Operator with a SOPS-encrypted DR backup workflow. Also adjusts the Helm client to scope settings/registry per-call, extends the GVR mapper for the new resource kinds, adds a SOPS decrypt helper, and refreshes generated NOTICE files.

Changes:

• New OpenBaoInstaller orchestrating namespace/operator deploy, Vault CR templating, init waiting, DR encrypt/decrypt, and root-token cleanup, plus a CLI wrapper and docs.
• Helm client now creates per-call cli.EnvSettings and a registry client so chart locating/RESTClientGetter use the requested namespace and OCI charts work.
• GvrForUnstructured extended for Vault, ServiceAccount, Role, RoleBinding; DecryptFileWithSOPS helper added.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
internal/installer/openbao.go	Full Day-0 bootstrap pipeline for OpenBao (DR check, password, operator, CR apply, init wait, encrypt, cleanup).
internal/installer/openbao_test.go	Ginkgo tests covering operator deploy, security cleanup, DR pre-flight, init wait, encrypt round-trip.
internal/installer/manifests/openbao/vault-cr.yaml	Embedded template producing SA/Role/RoleBinding and the Bank-Vaults Vault CR.
internal/installer/vault_encryption.go	Adds DecryptFileWithSOPS helper used during DR restore.
internal/installer/helm_client.go	Refactors to per-call helmEnv (settings + action config) and adds OCI registry client.
internal/util/k8s.go	Adds VaultGVR and GVR mappings for new kinds.
cli/cmd/install_openbao.go	New cobra command wiring and prereq check.
cli/cmd/install.go	Registers the new subcommand.
docs/oms_install_openbao.md, docs/oms_install.md	Generated docs for new subcommand.
NOTICE, internal/tmpl/NOTICE	Regenerated dependency NOTICE files.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 13 out of 13 changed files in this pull request and generated 5 comments.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 5 comments.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated no new comments.