feat(installer): support templated install configs from vault

[schrodit]

Summary

• Add Go template rendering for install configs with dynamic {{ secret "..." }} lookups backed by prod.vault.yaml
  • I decided to not use a simple struct like {{ vault.mySecret.password }} because using a function make it more generic to support other stores like vault ehre secrets are rather fetched async.
• Add a generic configtemplating package and a vault-backed installer secret store
  • The current vault is in a separate package to be able to switch the store with a different one e.g. openbao.
• Support explicit vault path handling via oms install codesphere --vault
• Render install configs to temporary 0600 files and warn when secrets.baseDir differs from the passed vault directory

Example

Use the newly added oms config template command to test it out locally.

# Example config.yaml fragment using secrets from prod.vault.yaml.
#
# Rendered by:
#   oms install codesphere --config config.yaml --vault prod.vault.yaml --priv-key age_key.txt ...
#
# Secret values are read dynamically from prod.vault.yaml and are not stored in
# plaintext in config.yaml.

secrets:
  baseDir: ./secrets

codesphere:
  override:
    global:
      license:
        key: '{{ secret "codesphereLicenseKey" }}'

postgres:
  override:
    auth:
      username: '{{ secret "postgresAdmin" "fields.username" }}'
      password: '{{ secret "postgresAdmin" "fields.password" }}'