Skip to content

Implement stale indicator for secrets

Why are we doing this work

Secrets transactions require multiple API calls to OpenBao and Rails to complete the operation. These calls happen sequentially, and if any call fails, the subsequent operations are not attempted. It is possible for a secret to be partially available to view but would result in an error when accessed or used because of partial failures in a previous operation (the scenarios are detailed in the description of Design UX for handling partially failed operati... (#538171 - closed))

Proposal

We need a way to indicate in the UI whether a secret is Healthy (the secret transactions is completely successful) or Needs attention (the transaction partially failed). If the secret Needs attention the user can try to repair it.

On the backend side, this requires two endpoints:

  1. checkSecretHealth - checks if the secret is healthy

2. repairSecret - mutation that fixes what's missing in the secret.

Relevant links

Refer to #538171 (comment 2725622649) for the relevant discussion.

Implementation table

Group Issue Link
backend 👈 You are here
frontend Indicate in the UI if a secret needs attention

Implementation plan

Backend Changes

  1. Add stale attribute to secret response model
    • Add boolean stale field to the secret metadata response
    • Field should indicate whether the secret needs to be recreated
  2. Implement stale detection logic (based on #571232 comment 2779063881)
    • Determine staleness criteria, mostly just a error message from openbao
    • Apply logic when fetching a secret
    • Return stale: true/false in API respons
  3. Update relevant API endpoints
    • Modify list secrets endpoint to include stale status
    • Modify get secret details endpoint to include stale status

Verification steps

Backend Verification

  1. API Response Testing
  • Call the list secrets endpoint and verify the stale attribute is present in the response
  • Verify stale is true for secrets meeting the staleness criteria
  • Verify stale is false for valid/current secrets
  1. Stale Detection Logic
  • Create a test secret that meets the staleness criteria (based on #571232 comment 2779063881)
  • Confirm the secret is correctly identified as stale
  • Create a fresh secret and confirm it's marked as not stale
Edited by 🤖 GitLab Bot 🤖