OpenBao sizing recommendations analysis

Summary

Create sizing guidance for OpenBao deployments to help GitLab administrators provision appropriate resources.

Problem Statement

GitLab administrators who wants to deploy OpenBao need guidance on OpenBao resource requirements and what is projected sizing they need to apply. Current approach for OpenBao is to deploy service to Supporting node pool. As such customer needs to understand by how much should they increase it and how to estimate this. The difficulty stems from the point that secrets fetching is async and highly depends on customer workload so it will be unique to each customer.

Example: https://docs.gitlab.com/integration/zoekt/#sizing-recommendations

High-Level Plan

1. Develop workload correlation models

   • Analyze relationship between GitLab usage patterns and secrets consumption - Customers with N projected RPS load in P90-95 case have X rps for CI jobs.
   • Create estimation formulas - Estimated OpenBao feature usage is that Y% of jobs would use secrets, resulting in <> RPS projection for N RPS load.

2. Run performance testing with projected load

   • Run performance testing for smallest and biggest identified loads, identify what increase to Supporting node pool is required

3. Create projected sizing matrix

   • Define sizing matrix based on performance test results
   • Document results clarifying that estimations are projected and customers will need to monitor and adjust accordinly

Known Limitations

• OpenBao workload depends on secrets usage
• Runners fetch secrets sequentially, so secrets-per-job doesn't directly correlate to load
• Limited existing data for 1:1 proxy metrics (masked variables usage is closest available)
• Performance heavily influenced by network topology (runner ↔ OpenBao ↔ PostgreSQL)

Exit Criteria

• Sizing recommendations matrix: Specific resource recommendations for different deployment scenarios
• User-facing documentation: Practical sizing guidance accessible to administrators
• Cross-link to Reference Architecture: Document OpenBao in Next steps (Note that since OpenBao is optional component, OpenBao guidance will be cross-linked from RA with Next steps (example))

Related Issues

• Performance data: https://gitlab.com/gitlab-org/govern/secrets-management/deployment-investigation/-/issues/10
• Discussions https://gitlab.com/gitlab-org/architecture/readiness/-/issues/7#note_2731195659