Deprovision secrets management on project delete or move

Dmytro Biryukovrequested to merge
dbiryukov_remove_openbao_data_on_project_del_move_mr-576427 into master

Related: #576427 (closed)

What does this MR do and why?

Currently when a project is deleted or moved between namespaces, we don't remove the associated data from Openbao. This creates orphaned secrets that persist in Openbao even after the project no longer exists

This MR adds a callback that asynchronously deprovisions secrets management when a project is deleted or a namespace is moved.

References

Screenshots or screen recordings

Before After

How to set up and validate locally

To verify that no data is left behind in OpenBao after moving or removing a project, you can run checks locally using the bao CLI.

  1. Configure OpenBao access

    Configure your local environment to access the OpenBao instance used by GDK, following the “Debug access” instructions here:

    https://gitlab-org.gitlab.io/gitlab-development-kit/howto/openbao/#debug-access

    Ensure the relevant environment variables (such as BAO_ADDR, BAO_TOKEN, etc.) are exported so that bao can authenticate successfully.

  2. Run validation commands

    After performing the project move or removal, use the bao CLI to confirm that no KV entries or namespaces remain for the old project:

    Check if a specific KV secret still exists 

    bao kv get -namespace=group_151/project_79 secrets/kv/explicit/test1

    List all namespaces 

    bao namespace list

    List namespaces under the specific group 

    bao namespace list -namespace=group_151

    Expected behavior depends on the operation:

    • For a removed project, the bao kv get command should fail (no data found), and the corresponding group_151/project_79 namespace should no longer be listed.
    • For a moved project, the old namespace (group_151/project_79) should be gone

If any secrets remain under the old group_<id>/project_<id> namespace, it indicates that cleanup did not complete correctly.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Dmytro Biryukov

Merge request reports