Refactor secrets manager to use namespaces
What does this MR do and why?
Refactor secrets manager to use namespaces
In OpenBao v2.3.0 released June 25, 2025, namespace support was added providing stronger tenant isolation. While our policies were carefully constructed guarantee this, using namespaces adds an additional level of isolation above that to help guarantee it. Additionally, future improvements to OpenBao will give per-namespace encryption keys, further segmenting storage for tenants.
The use of namespaces is required to ultimately support org-mover for Cells; per-project namespaces allow moving subsets of an organization's data across cells as this is the smallest unit OpenBao will eventually allow transferring.
References
- See also: https://openbao.org/docs/release-notes/2-3-0/
- See also: https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/secret_manager/
- Resolves: #554281 (closed)
Signed-off-by: Alexander Scheel <ascheel@gitlab.com>
How to set up and validate locally
Any projects with existing secrets managers enabled will need to be disabled and then re-enabled using the new namespace logic.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.