Enable/Disable Group Secrets Manager
Feature
Allow groups to enable/disable secrets management
Scope
- Create feature flag
secrets_manager_groupwithgroupactor type -
GroupSecretsManagermodel with state machine (provisioning, active, deprovisioning) - Database migration for
group_secrets_managerstable -
InitializeService- creates GroupSecretsManager record and enqueues provisioning -
ProvisionService- creates namespace, auth mount, policies, JWT CEL role (runs in worker) -
InitiateDeprovisionService- transitions to deprovisioning state and enqueues cleanup -
DeprovisionService- cleanup namespace and resources (runs in worker) - Background workers:
ProvisionGroupSecretsManagerWorker,DeprovisionGroupSecretsManagerWorker - GraphQL mutations:
groupSecretsManagerInitialize,groupSecretsManagerDeprovision - GraphQL queries:
group.secretsManager { status, ... }
Implementation table
| header | header |
|---|---|
| backend |
|
| frontend | #577453 |
Can be split into separate MRs
- MR 1: Initialize mutation (model, services, worker, GraphQL mutation for enable)
- MR 2: Deprovision mutation (services, worker, GraphQL mutation for disable)
Deliverable
Group owners can enable/disable secrets manager in a group
Dependencies
None
Notes
- Creates static policies during provisioning:
pipelines/protected/globalandpipelines/unprotected/global - Policies are initially empty - secret paths added when secrets are created
- CEL templates check
project_group_idsclaim (to be added in Issue 7) - Provisioning/deprovisioning run asynchronously via Sidekiq workers
- State machine transitions: provisioning → active → deprovisioning
Related to &17904
Edited by Mireya Andres