Add SaaS toggle to enroll namespace to secrets manager
What does this MR do and why?
The secrets manager feature will be available for open beta in the next milestone (%19.1).
This adds a new setting for top-level groups that enables the secrets manager feature for all groups and projects under this root group through an enrollment toggle. The secrets manager can be provisioned individually for child groups and child projects only when the top level group is enrolled first.
The setting is developed under the secrets_manager_namespace_enrollment feature flag. This is only available for SaaS, so this setting will not show for self-managed. Refer to !235078 (merged) for the backend code and how this is gated.
Since a top-level group is also a group, it'll show both the enrollment toggle and provisioning toggle. The provisioning toggle is disabled until the TLG is enrolled.
Notes:
- GSM = GitLab Secrets Manager
- TLG = top-level group
Technical Changes
- Added
namespace_enrollment_datatosecrets_helper.rb. The data we pass to the Vue app for the group secrets manager settings is moved here.- Added
can_enroll_namespaceandis_namespace_enrollable - Used more granular permissions like
:provision_secrets_managerand:create_secrets_manager_enrollmentinstead of:admin_group
- Added
- Created new
SecretsManagerSaasEnrollmentToggleVue component that toggles the enrollment status for top level groups - Updated the UI for the secrets manager settings to accommodate the new toggle and make sure we're safeguarding the provisioning toggle through a GSM enrollment check
References
Implements Frontend: Add Secrets Manager Open Beta setting... (#598615 - closed).
Requires !235078 (merged) (backend) to be merged first.
Enrollment behavior is different for self-managed, and will be implemented on the instance level. See #598060 (closed).
Screenshots or screen recordings
NOTE: It looks like the loading state for the provisioning toggle isn't showing up after calling the mutation. This is an existing bug but it's out of scope for this MR (which is focused more on the enrollment toggle). We'll investigate this later and create a follow-up MR to fix this.
| State | Top level group | Child group | Child project |
|---|---|---|---|
| When TLG is unenrolled, the settings do not show up for child group or child projects |  |
 |
 |
| After enrolling the TLG, secrets manager can now be provisioned for each child group and child projects setting |
The setting will not show up for user namespaces or for top-level groups in self-managed:
| User namespace (SaaS or self-managed) | TLG (self-managed) |
|---|---|
 |
 |
Possible error states (toggles are disabled when openbao connection is unhealthy or when GSM enrollment cannot be fetched):
How to set up and validate locally
- Pull the backend changes from !235078 (merged) or make sure it is merged.
- Run gdk with SaaS enabled:
GITLAB_SIMULATE_SAAS=1 gdk start - Upload a Premium license (or above).
- Set up openbao and enable the secrets manager on your gdk.
- Enable the following feature flags:
secrets_manager,group_secrets_managersecrets_manager_namespace_enrollment. - Go to your root group settings (Settings > General) and expand Permissions and group features.
- Turn on the toggle to enroll the namespace. This will make the secrets manager available for all groups and projects under this group.
- To test on projects, go to the project settings (Settings > General) and expand **Visibility, project features, permissions **.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.