Add ADR-014: Direct API access to secrets for non-CI/CD workloads

What does this MR do and why?

Adds ADR-014 to the GitLab Secrets Manager design document, recording the architectural decision to support direct API access to secrets from non-CI/CD workloads.

This ADR documents the decisions made in gitlab-org/gitlab#594090 and implemented in gitlab-org/gitlab!240364 and gitlab-org/gitlab!241443.

The MRs are used as the source of truth where they diverge from the issue spec.

Key decisions documented

  • New api_jwt OpenBao mount (parallel to pipeline_jwt and user_jwt) with its own CEL role
  • New REST endpoint POST /api/v4/projects/:id/secrets_manager/access_token (and group variant) that mints a short-lived JWT and returns OpenBao connection details shaped like external-secrets.io/v1.VaultProvider
  • New secrets_manager_scope: "api" JWT claim extending ADR-012
  • New read_value secret permission (separate from the existing metadata-only read/read_metadata)
  • Two-policy structure per principal: management policy on user_jwt, read-only policy on api_jwt
  • Authorization model: minting gated by create_secrets_manager_api_jwt (Reporter+), value reads gated by read_value in OpenBao
  • Beta maturity behind secrets_manager_api_access feature flag

Also updates _index.md to link ADR-014 in the Decisions section.

Merge request reports

Loading