OpenBao AWS KMS unseal support

Dmytro Biryukovrequested to merge
aws_kms_keys_support_mr-561304 into main

What does this MR do?

Introduces AWS KMS keys support for OpenBao unsealing in the GitLab Environment Toolkit. This enables secure key management through AWS KMS instead of static key files, providing better security posture and automatic key rotation capabilities.

Implementation Details

This MR adds support for configuring OpenBao with AWS KMS seal through the GitLab Helm chart. The changes include:

  1. Variable for KMS Key ID: Adds a new variable to pass the AWS KMS key ID to the OpenBao Helm chart
  2. Chart Configuration: Configures the awskms seal type through chart values
  3. Geo Compatibility: Ensures the same KMS key can be used across Geo sites for consistent unsealing

Related issues

gitlab#561304 (comment 3213534206)

Author's checklist

When ready for review, the Author applies the workflowready for review label and mention @gitlab-org/software-delivery/get-maintainers:

  • Merge request:
    • Corresponding Issue raised and reviewed by the GET maintainers team.
    • Merge Request Title and Description are up-to-date, accurate, and descriptive
    • MR targeting the appropriate branch
    • MR has a green pipeline
    • MR has no new security alerts in the widget from the Secret Detection and IaC Scan (SAST) jobs.
  • Code:
    • Check the area changed works as expected across all expected permutations.
    • Check that the changes work across upgrades.
    • Documentation created/updated in the same MR if applicable
Edited by Nailia Iskhakova

Merge request reports