Switch OpenBao to declarative self-init, Postgres
What does this merge request do and why?
Switch OpenBao to declarative self-init, Postgres
This aligns OpenBao with our usage and configuration in the upcoming Helm charts. We provision an additional logical database in the PostgreSQL instance and use declarative self-init with a static unseal key for managing Rails JWT configuration.
As a result, the root token and unseal shares are no longer required and configuration steps are greatly reduced.
This also adds OpenBao to the GitLab configuration, when enabled.
Resolves: gitlab#523846
Signed-off-by: Alexander Scheel <ascheel@gitlab.com>
Related feature design doc: https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/secret_manager/
How to set up and validate locally
- Follow updated howto guidance! I'd like to ensure that the updated guidance is correct and reasonable.
Impacted categories
The following categories relate to this merge request:
-
gdk-reliability - e.g. When a GDK action fails to complete. -
gdk-usability - e.g. Improvements or suggestions around how the GDK functions. -
gdk-performance - e.g. When a GDK action is slow or times out.
Merge request checklist
-
This MR references an issue describing the change. -
This change is backward compatible. If not, please include steps to communicate to our users. --> Existing users with existing OpenBao instances are not impacted until they run gdk reconfigure, in which case they'll retain but not default to referencing existing data. However, OpenBao is still in closed experiment so we expect usage of GDK with OpenBao to be minimal outside of GitLab. -
Tests added for new functionality. If not, please raise an issue to follow-up. -
Documentation added/updated, if needed. -
Announcement added, if change is notable. -
gdk doctortest added, if needed.
Edited by Alex Scheel