Add Support for pkcs#11/hsm auto-unseal

[voigt]

Is your feature request related to a problem? Please describe.

Since version 2.2.0 OpenBao supports HSM. To use it, not only a dedicated build, but also a shared library (see pkcs#11 sealing stanza) is required.

Describe the solution you'd like

• add hsm/pkcs#11 toggle to Helm values, which then switches to the HSM distribution of OpenBao (openbao/openbao-hsm-ubi)
• provide an option to mount a shared library to the OpenBao container
  • option a) add shared library via init container
  • option b) add shared library via sidecar (is this even possible?)
  • option c) add shared library via mounting host filesystem
  • option d) add custom image if OpenBao that has the shared library built in

Describe alternatives you've considered

Alternatively we could run a separate helm chart dedicated to HSM usage.

Additional context

Without this feature, someone who wants to unseal OpenBao via pkcs#11 needs to run its own custom helm chart.

[karras]

@pree @eyenx @Nerkho Is that something either of you could look into?

[pree]

@karras Currently already have a backlog of items I'm working on, but could tackle this afterwards. @eyenx @Nerkho feel free to take this if you have time!

[Nerkho]

@karras you can assign this to me. I'll have a look into it.

[eyenx]

related: #81