Remove OpenBaoProxy
What does this merge request do and why?
Initially, we implemented communication with Openbao through a proxy. However, with new changes, we've added JWT authentication that allows Rails to communicate directly with Openbao, eliminating the need for the proxy. The GDK configuration now needs to be updated to reflect this change.
Related links:
- Related issue: gitlab#571318 (closed)
How to set up and validate locally
Clone this branch of this repo, run gdk reconfigure, and then run gdk status as below:
~/code/gdk % gdk status
+--------+-----------+--------------------------+
| PID | STATUS | SERVICE |
+--------+-----------+--------------------------+
| 45008 | up 2761s | gitlab-http-router |
| 76478 | up 10s | gitlab-topology-service |
| 45010 | up 2758s | gitlab-workhorse |
| 45011 | up 2760s | openbao |
| 44976 | up 2761s | postgresql |
| 44998 | up 2758s | praefect |
| 44999 | up 2757s | praefect-gitaly-0 |
| 45013 | up 2761s | rails-background-jobs |
| 45014 | up 2759s | rails-web |
| 44985 | up 2761s | redis |
| 45015 | up 2760s | sshd |
| 45016 | up 2758s | vite |
+--------+-----------+--------------------------+Observe that the openbao-proxy is no longer present.
I have also confirmed that our interactions with OpenBao via SecretsManagerClient still work by using the recovery_key_retrieve rake task. More info on this rake task: "Resolve "[Rake] OpenBao Recovery Key Generation""
gdk stop openbao && yes | gdk reset-openbao-data && gdk start && sleep 3 && bundle exec rake gitlab:secrets_management:openbao:recovery_key_retrieve ok: down: /Users/samroque-worcel/code/gdk/services/openbao: 1s
WARNING: We're about to remove OpenBao PostgreSQL data.
DROP DATABASE
CREATE DATABASE
ok: run: /Users/samroque-worcel/code/gdk/services/postgresql: (pid 77303) 4s, normally down
ok: run: /Users/samroque-worcel/code/gdk/services/redis: (pid 77353) 0s, normally down
ok: run: /Users/samroque-worcel/code/gdk/services/praefect: (pid 77361) 1s, normally down
ok: run: /Users/samroque-worcel/code/gdk/services/praefect-gitaly-0: (pid 77362) 1s, normally down
ok: run: /Users/samroque-worcel/code/gdk/services/gitlab-http-router: (pid 77373) 0s, normally down
ok: run: /Users/samroque-worcel/code/gdk/services/gitlab-topology-service: (pid 77374) 0s, normally down
ok: run: /Users/samroque-worcel/code/gdk/services/gitlab-workhorse: (pid 77375) 0s, normally down
ok: run: /Users/samroque-worcel/code/gdk/services/openbao: (pid 77376) 0s, normally down
ok: run: /Users/samroque-worcel/code/gdk/services/rails-web: (pid 77378) 0s, normally down
ok: run: /Users/samroque-worcel/code/gdk/services/rails-background-jobs: (pid 77377) 0s, normally down
ok: run: /Users/samroque-worcel/code/gdk/services/sshd: (pid 77379) 0s, normally down
ok: run: /Users/samroque-worcel/code/gdk/services/vite: (pid 77380) 0s, normally down
=> GitLab available at http://gdk.test:3000
=> - Ruby: ruby 3.3.9 (2025-07-24 revision f5c772fc7c) [arm64-darwin24].
=> - Node.js: v22.19.0.
=> OpenBao is available at http://gdk.test:8200
=> The HTTP Router is available at http://gdk.test:3000
=> The TopologyService is up and running.
Marked old key as inactive.
Persisted key to the database.
Marked key as active.Impacted categories
The following categories relate to this merge request:
-
gdk-reliability - e.g. When a GDK action fails to complete. -
gdk-usability - e.g. Improvements or suggestions around how the GDK functions. -
gdk-performance - e.g. When a GDK action is slow or times out.
Merge request checklist
-
This MR references an issue describing the change. -
This change is backward compatible. If not, include steps to communicate to users. It's backward compatible in the sense that it will not impact users of OpenBao -
Tests added for new functionality. If not, raise an issue to follow-up. -
Observability added/updated (logging, metrics, tracing). -
Documentation added/updated. -
Announcement added for notable changes. -
gdk doctortest added.
Edited by Sam Roque-Worcel