Change GitLab sensitive data to secrets, and encrypt for GitOps usage

[adamrushuk]

• https://github.com/mozilla/sops
• https://github.com/mozilla/sops#23encrypting-using-azure-key-vault
• https://github.com/bitnami-labs/sealed-secrets
• Consider using key vault secret to sync to k8s secret or ConfigMap using akv2k8s: https://akv2k8s.io/tutorials/sync/6-secret-to-configmap/
• Create secret to mount as ENV var for GITLAB_OMNIBUS_CONFIG:
  • Move dynamic config data to their own env vars, eg: EXTERNAL_URL and GITLAB_ROOT_PASSWORD: https://docs.gitlab.com/omnibus/settings/configuration.html#specifying-the-external-url-at-the-time-of-installation
  • https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template#L641-645
  • Use secretKeyRef: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables

[adamrushuk]

https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template#L641-645

#### Change the initial default admin password and shared runner registration tokens.
####! **Only applicable on initial setup, changing these settings after database
####!   is created and seeded won't yield any change.**
# gitlab_rails['initial_root_password'] = "password"
# gitlab_rails['initial_shared_runners_registration_token'] = "token"

EXTERNAL_URL
GITLAB_ROOT_PASSWORD