GitLab Secrets Manager - OpenBao Profiles
## Description
This epic enables GitLab Secrets Manager to leverage OpenBao Profiles for single-request management and orchestration of OpenBao from GitLab Rails. OpenBao Profiles allow operators to declaratively define complex multi-request workloads while providing single-API visibility. GitLab will leverage them to improve performance, decrease data loss risks, and simplify migration strategies.
### Problem We're Solving
OpenBao Profiles allow operators to define new API endpoints which internally make multiple internal requests, providing a high-level API to a low-level service offering. This reduces latency of multi-request flows and allow operators to provide a facade over OpenBao's raw API.
GitLab Rails today often makes multiple requests to OpenBao in handling a single request:
- When listing secrets in the dashboard, Rails synthesizes data across the OpenBao list + per-secret metadata endpoints.
- When fetching a secret, Rails loads secret metadata and confirms access policies are set.
- When updating a secret, Rails writes data, metadata, and updates multiple ACL policies.
- When deleting a secret, Rails must delete data and modify or remove multiple ACL policies.
Long term, this sets us up for GitLab add-on and better stability.
### How We Solve It
- Rails declaratively defines its secret requirements via profiles
- The system automatically provisions appropriate secrets based on the profile/role
- Enables consistent, scalable secret management across the GitLab hierarchy
- Reduces manual configuration and operational overhead
- Aligns with GitLab's existing inheritance model for secrets
#### Dependencies
- Team dependencies: Coordination with OpenBao community for profile specifications leveraging GitLab engineering for community contribution
- External dependencies: OpenBao Profiles specification and implementation
- Incorporating changes into new release of OpenBao and adopting within GitLab deployment of Secrets Manager
- Support and collaboration with ~"group::operate" for any necessary deployment and configuration changes
#### References
* https://openbao.org/blog/profiles/
* https://gitlab.com/gitlab-com/content-sites/handbook/-/merge_requests/17396
* [Proposal](https://gitlab.com/gitlab-com/content-sites/handbook/-/blob/secrets-manager-future-design/content/handbook/engineering/architecture/design-documents/secrets_manager_plugin_architecture_strategy/_index.md?ref_type=heads#openbao-profiles)
#### DRIs
* **PM**: `@ashalem`
* **EM**: `@mmishaev`
* **UX/PDM**: `@jtouchstone1`
* **Group(s)**: ~"group::pipeline security"
* **Engineering Owner**: `@mmishaev`
#### Initiative Driver - Product or Engineering?
- [ ] **Product-driven initiatives (P1/P2/P3)** - Customer-facing features or improvements driven by Product teams that require engineering resources and commitment
- These initiatives require a Product Priority label (P1/P2/P3)
- They may also receive GTM tier labels (T1/T2/T3) for external communication
- [x] **Engineering-driven initiatives (E1/E2/E3)** - Internal technical improvements that may not have customer-facing components
- These initiatives require an Engineering Priority label (E1/E2/E3)
- They have internal visibility only and are not externally communicated
---
### Hygiene Guidelines
:bulb: \_See additional details about this process at https://handbook.gitlab.com/handbook/product-development/r-and-d-interlock/
##### :one: Pre-Interlock
- [x] Update epic description with all relevant information
- [x] Ensure all dependencies are identified
- [x] Apply appropriate labels (see below)
- [ ] Apply target delivery Milestone
- [ ] Update interlock status as discussions progress (via label)
##### :two: Post-Interlock: once quarter begins
- Update health status weekly (via label)
- Document any newly identified risks or dependencies
- Link to implementation epics/issues as work begins
- Flag any scope or timeline changes immediately
epic