Upgrade OpenBao to 2.4.4 (#584672) · Issues · GitLab.org / GitLab

Upgrade OpenBao to 2.4.4

## Summary Upgrade OpenBao to version [2.4.4](https://github.com/openbao/openbao/releases/tag/v2.4.4) across all dependent projects in the cascade. (Upgrade to 2.5.0 if available.) This upgrade provides an opportunity to implement the new version handling outlined in #583133, but this is not a hard requirement for completing the upgrade. ## Projects to Upgrade 1. **openbao-internal** - https://gitlab.com/gitlab-org/govern/secrets-management/openbao-internal - Update OpenBao mirror to 2.4.4 - Create v2.4.4-gitlab1 release - Ensure CI pipeline publishes binaries with git tag 2. **CNG** - https://gitlab.com/gitlab-org/build/CNG - Update `GITLAB_OPENBAO_VERSION` to `v2.4.4-gitlab1` - Update corresponding build argument in Dockerfiles - Publish `gitlab-openbao` images (required for steps 3 and 4) 3. **gitlab:** https://gitlab.com/gitlab-org/ - Update `GITLAB_OPENBAO_VERSION` once CNG images are available. - Update `openbao.rake` with checksums of the new binaries published on https://gitlab.com/gitlab-org/govern/secrets-management/openbao-internal/-/packages. Package version is `v2.4.4-gitlab1`. 5. **OpenBao Chart** - https://gitlab.com/gitlab-org/cloud-native/charts/openbao/ - Update to use OpenBao `v2.4.4-gitlab1` images from CNG 4. **GitLab Chart** - https://gitlab.com/gitlab-org/charts/gitlab - Update to the new release of the OpenBao Chart. 5. **GitLab Secrets Manager Container** - https://gitlab.com/gitlab-org/govern/secrets-management/gitlab-secrets-manager-container - Update to use OpenBao `v2.4.4-gitlab1` images from CNG ## Implementation plan 1. [x] Upgrade openbao-internal and release version. https://gitlab.com/gitlab-org/govern/secrets-management/openbao-internal/-/merge_requests/33 2. [x] Validate against CNG on GDK. https://gitlab.com/gitlab-org/gitlab/-/jobs/12635490177 3. [x] Upgrade CNG (Renovate). https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2780 4. [x] Upgrade OpenBao Chart 5. [x] Upgrade GitLab Chart 6. [x] Upgrade Runway project ## Further details This upgrades includes [Enable transactional namespace creation #2003](https://github.com/openbao/openbao/pull/2003), which was included in OpenBao 2.4.3 (see [release notes](https://github.com/openbao/openbao/releases/tag/v2.4.3)). Upgrading to 2.4.4 ensures this fix is in place and prevents future database corruption when OpenBao suddenly stops while creating a namespace. See https://gitlab.com/gitlab-org/gitlab/-/issues/568356#note_2953771477

issue