Add ADR-014: Direct API access to secrets for non-CI/CD workloads
What does this MR do and why?
Adds ADR-014 to the GitLab Secrets Manager design document, recording the architectural decision to support direct API access to secrets from non-CI/CD workloads.
This ADR documents the decisions made in gitlab-org/gitlab#594090 and implemented in gitlab-org/gitlab!240364 and gitlab-org/gitlab!241443.
The MRs are used as the source of truth where they diverge from the issue spec.
Key decisions documented
- New
api_jwtOpenBao mount (parallel topipeline_jwtanduser_jwt) with its own CEL role - New REST endpoint
POST /api/v4/projects/:id/secrets_manager/access_token(and group variant) that mints a short-lived JWT and returns OpenBao connection details shaped likeexternal-secrets.io/v1.VaultProvider - New
secrets_manager_scope: "api"JWT claim extending ADR-012 - New
read_valuesecret permission (separate from the existing metadata-onlyread/read_metadata) - Two-policy structure per principal: management policy on
user_jwt, read-only policy onapi_jwt - Authorization model: minting gated by
create_secrets_manager_api_jwt(Reporter+), value reads gated byread_valuein OpenBao - Beta maturity behind
secrets_manager_api_accessfeature flag
Also updates _index.md to link ADR-014 in the Decisions section.