Initial GitLab Secret Manager (OpenBao) support (!1763) · Merge requests · GitLab.org / GitLab Environment Toolkit

What does this MR do?

The MR adds Experimental initial GitLab Secret Manager (OpenBao) support

Cloud Native Hybrid support only with Chart (no Operator)
Only for external DB installations (cloud provider DBs, not Omnibus PG cluster)
Deployed on Supporting node pool
OpenBao DB is created as separate logical DB on main PG
Limited Geo support aligning with GitLab Secret Manager feature Geo support status

Feature additions:

Required configurations from user are OpenBao URL, db password for OpenBao DB, and Chart specific deployment configs - replicas, CPU and memory limits
TLS is enabled if URL contains https
Optional support for Unseal keys secret allowing users to provide values for secret - required for Geo installation to sync the key between sites
Monitoring is enabled with PodMonitor setting
The MR also adds OpenBao molecule scenario for local testing

When ready for review, the Author applies the workflowready for review label and mention @gitlab-org/software-delivery/get-maintainers:

Merge request:
- Corresponding Issue raised and reviewed by the GET maintainers team.
- Merge Request Title and Description are up-to-date, accurate, and descriptive
- MR targeting the appropriate branch
- MR has a green pipeline
- MR has no new security alerts in the widget from the Secret Detection and IaC Scan (SAST) jobs.
Code:
- Check the area changed works as expected across all expected permutations.
  - Testing notes are available at https://gitlab.com/gitlab-org/gitlab-environment-toolkit/-/issues/1138#note_2832402731
- Check that the changes work across upgrades.
- Documentation created/updated in the same MR if applicable - No documentation due to Experimental status

Closes #1138

Edited Jan 07, 2026 by Nailia Iskhakova