feat: add OpenBao agent injector component

[Soypete]

Summary

• Adds openbao-injector as a new foundry component (foundry component install openbao-injector)
• Installs the OpenBao agent injector via Helm (injector-only, server.enabled=false)
• Registers a MutatingWebhookConfiguration so pods with vault.hashicorp.com/agent-inject: "true" annotations automatically receive secrets mounted from OpenBao
• Auto-detects the OpenBao address from stackConfig.GetPrimaryOpenBAOAddress()
• Adds docs/pod-secrets.md covering pod annotation patterns, dash-compatible entrypoints, Kubernetes auth setup, and troubleshooting

Test plan

• foundry component install openbao-injector succeeds
• kubectl get mutatingwebhookconfigurations | grep openbao shows the webhook
• Pod with vault.hashicorp.com/agent-inject: "true" annotation gets a vault-agent-init init container
• After configuring Kubernetes auth in OpenBao, secrets appear at /vault/secrets/

🤖 Generated with Claude Code

[todpunk]

Good foundation — the component structure, Helm lifecycle handling (deploy/upgrade/failed cleanup), and dependency wiring all follow existing patterns well. ParseConfig uses GetString() correctly and the HelmClient interface matches what other components do.

A few things to address before merge:

Tests (blocking)
We need tests for every feature per project policy. At minimum: config parsing (defaults, overrides, missing external_vault_addr), install with mock helm client (fresh, upgrade, failed release cleanup), and error paths. Other components have this pattern that can be followed.

CSIL schema missing
types.gen.go has the "Code generated by csilgen; DO NOT EDIT" header but there's no .csil file in csil/v1/components/. Either the schema file was accidentally left out or the generated header is misleading — please add the schema and regenerate since none of these files should be altered by anything post generation.

OpenBao address error silently swallowed
In install.go, if GetPrimaryOpenBAOAddress() fails, the error is dropped and the user later gets a generic "external_vault_addr is required" message with no indication why auto-detection failed. Please surface the underlying error.

Hardcoded http:// and port 8200
fmt.Sprintf("http://%s:8200", addr) will break silently with TLS or non-default ports. Try deriving protocol/port from config rather than hardcoding. The rest of the stack should already have that in config.

Minor

• Config should have a Validate() method called from ParseConfig() to match the pattern used by other components
• Extra blank line after the openbaoInjectorComp registration in registry/init.go
• Adding openbao-injector to the k8sComponents map re-aligned existing entries — just add the new line without changing whitespace on external-dns and velero

[todpunk]

there's no .csil file in csil/v1/components/. Either the schema file was accidentally left out or the generated header is misleading — please add the schema and regenerate since none of these files should be altered by anything post generation

[todpunk]

fmt.Sprintf("http://%s:8200", addr) will break silently with TLS or non-default ports. Try deriving protocol/port from config rather than hardcoding. The rest of the stack should already have that in config.

[todpunk]

if GetPrimaryOpenBAOAddress() fails, the error is dropped and the user later gets a generic "external_vault_addr is required" message with no indication why auto-detection failed. Please surface the underlying error.