Relax mandatory requirement of API key to use external spam check service

In !31449 (merged), we added support for external spam check services. In !60385 (merged), we added the ability to provide an API key to validate requests to this external spam check service. These MRs were implemented with our own spamcheck tool in mind, and the way we will be deploying it in GitLab.com.

With !60385 (merged), we made it mandatory to provide an API key to use an external spamcheck service. From a security stand point, this definitely made sense. However, we have one glaring problem - spamcheck doesn't have any authentication capabilities on its own - gitlab-com/gl-security/engineering-and-research/automation-team/spam/spamcheck#171 (moved). For GitLab.com, authentication is done at the service mesh level using JWTs.

However, we are starting to ship spamcheck to self-managed users in omnibus-gitlab!5478 (merged). For single node instances where spamcheck is running over localhost, ANY value (except blank) will work for API key. However, this sucks from a documentation perspective, IMO. And it doesn't display the reality of the situation w.r.t authentication.

Should we just relax this requirement until gitlab-com/gl-security/engineering-and-research/automation-team/spam/spamcheck#171 (moved) is done (then, we can make connections over localhost also behind authentication) ?