Secrets Manager: Backfill api_jwt mount and role into existing SM namespaces
## Problem Non-CI/CD secret access (#594090) adds a new `api_jwt` OpenBao mount and `all_api_access` CEL role. The provision service creates these for **new** SM enrollments. Projects and groups already enrolled in Secrets Manager will not have the new mount and role, so the access-token endpoint will not work for them until they are backfilled. ## Proposal Backfill the `api_jwt` mount and `all_api_access` CEL role into every already-enrolled SM namespace, reusing the same provisioning code path #594090 adds for new enrollments. - Iterate existing project and group secrets managers. - For each, provision the `api_jwt` mount + role if missing (idempotent). - Anchor on the existing maintenance-task / cron pattern so a crash leaves the work retryable, consistent with how provisioning and deprovisioning already recover. ## Scope - In scope: the backfill itself, idempotency, retry/recovery, and its spec. - Out of scope: the endpoint, the JWT class, and new-enrollment provisioning (all in #594090). ## Notes - Additive only. Existing `pipeline_jwt` and `user_jwt` mounts are untouched. - Should run safely on GitLab.com scale and on self-managed. ## Related - #594090 (endpoint + new-enrollment provisioning, this issue's parent)
issue