Provision GitLab self-managed ultimate license with Duo Enterprise to support AI setup with staging AI gateway

Overview

The current process of provisioning staging licenses requires manual steps and takes time, slowing developers down when setting up the GDK. This is a particular pain point when developers use the staging AI gateway and require an ultimate staging license with Duo Enterprise seats.
This issue is about implementing a temporary solution mentioned in this ADR by using staging licenses that will be shared between developers.

This is connected to the bigger effort to automate license provisioning: https://gitlab.com/gitlab-org/gitlab-development-kit/-/issues/3047+

Impacted categories

The following categories relate to this issue:

• gdk-reliability - e.g. When a GDK action fails to complete.
• gdk-usability - e.g. Improvements or suggestions around how the GDK functions.
• gdk-performance - e.g. When a GDK action is slow or times out.

Steps to replicate

1. Install the 1Password CLI tool: https://developer.1password.com/docs/cli/get-started/.
2. Turn on the CLI integration in the desktop app.
3. Enable license provisioning gdk config set gdk.license_provisioning.enabled true.
4. Run gdk reconfigure.
5. Go to the subscriptions page and verify that you have an active ultimate license.

1. Install the 1Password CLI tool: https://developer.1password.com/docs/cli/get-started/.
2. Turn on the CLI integration in the desktop app.
3. Enable license provisioning gdk config set gdk.license_provisioning.enabled true.
4. Set the Duo tier to be enterprise: gdk config set gdk.license_provisioning.duo.tier enterprise.
5. Run gdk reconfigure.
6. Go to the subscriptions page and verify that you have an active ultimate license.

Proposal

Follow the approach used in runbooks to use the 1Password CLI tool to fetch staging GitLab licenses from a shared vault.
The password vault should contain the most common used license combinations while using a reasonable number of seats:

• self managed ultimate
• [ ] self managed ultimate + duo_pro
• self managed ultimate + duo_enterprise
• [ ] self managed premium
• [ ] self managed premium + duo_pro
• [ ] saas ultimate
• [ ] saas ultimate + duo_pro
• [ ] saas ultimate + duo_enterprise
• [ ] saas premium
• [ ] saas premium + duo_pro

After a license is fetched from the password vault, store it in a local file, which should not be committed, in order to skip the fetching step on next reconfigure runs.

Decisions

• To keep the manual provisioning of licenses to a minimum and still provide an automation for most of the use cases (feature testing and AI setup with staging AI gateway), we decided to only provide self managed ultimate and self managed ultimate + duo_enterprise licenses to start with.
• Since the fetched license data is stored in a local file, which is not tracked or committed, we can deliver the first version of this feature without encrypting the content of the file.