Add secrets management project and group limits validations

Dmytro Biryukovrequested to merge
dbiryukov_project_secrets_manager_limits_mr-585572 into master

What does this MR do and why?

Implements application limits for the maximum number of secrets that can be stored in a project/group within GitLab Secrets Manager. This is part of the GA readiness work for GitLab Secrets Manager.

Key Changes

  • SecretCountService: New service that retrieves secret counts from OpenBao via the LIST API with caching for performance optimization (15-minutes TTL)
  • SecretsLimitEnforcement concern: Reusable logic for limit validation across services, supporting both project and group secrets managers
  • Limit enforcement: Integrated into Secrets::CreateServiceHelpers to prevent exceeding limits before secret creation

For groups, we currently have only the foundational work in place. Test will be extended: #585573

Default Limits

  • Project: 100 secrets
  • Group: 500 secrets

Limits can be set to 0 for unlimited secrets.

References

Closes #585572 Partially #585573

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Enable GitLab Secrets Manager for a project

  2. Set the lower limit ApplicationSetting.current.update!(project_secrets_limit: 3)

  3. Invalidate settings cache Gitlab::ApplicationSettingFetcher.expire_current_application_settings

  4. Check Gitlab::CurrentSettings.project_secrets_limit

  5. Create secrets up to the limit (default: 100)

  6. Attempt to create another secret - should receive an error message about the limit being reached

  7. Delete a secret and verify you can create a new one

  8. Enable GitLab Secrets Manager for a group

  9. Set the lower limit ApplicationSetting.current.update!(group_secrets_limit: 3)

  10. Invalidate settings cache Gitlab::ApplicationSettingFetcher.expire_current_application_settings

  11. Check Gitlab::CurrentSettings.group_secrets_limit

  12. Create secrets up to the limit (default: 500)

  13. Attempt to create another secret - should receive an error message about the limit being reached

  14. Delete a secret and verify you can create a new one

Screenshots

image

Edited by Dmytro Biryukov

Merge request reports