## Description ### Summary Extend secrets manager beyond CI pipelines to support Continuous Deployment use cases, particularly Kubernetes workload secrets injection. Enable external applications and K8s controllers to authenticate and retrieve secrets. ### Target Metrics 1. In refinement ### Success Metrics 1. In refinement ### Problem Statement Current implementation is CI-only: - No REST API for secret values (only metadata via GraphQL) - JWT authentication tied to CI jobs (PipelineJwt) - No service account mechanism for external apps - No K8s integration (External Secrets Operator) - No workload identity federation ### Proposal Implement multiple access methods for deployment scenarios: ```mermaid flowchart TB subgraph Access["Access Methods"] CI["CI Pipeline"] ESO["K8s ESO"] App["External App"] CLI["glab CLI"] end subgraph Auth["Authentication"] JWT["Pipeline JWT"] SA["Service Account Token"] OIDC["OIDC/Workload Identity"] end CI --> JWT ESO --> SA App --> SA App --> OIDC Auth --> SM["Secrets Manager REST API"] ``` ### Key Deliverables 1. **REST API for Secret Values** - `GET /api/v4/projects/:id/secrets/:name/value` - `GET /api/v4/groups/:id/secrets/:name/value` - Bulk secret retrieval - Version-specific access 2. **Service Accounts** - Create/manage service accounts - Token generation with TTL - Permission scoping (secret patterns) - Token rotation 3. **External Secrets Operator Integration** - GitLab SecretStore provider - ExternalSecret resource support - Auto-sync on rotation 4. **Workload Identity** - OIDC authentication - Cloud workload identity (GKE, EKS, AKS) - Kubernetes service account binding ### User Stories | ID | Story | Points | |----|-------|--------| | US-6.1 | REST API - Read secret value | 8 | | US-6.2 | REST API - List secrets | 5 | | US-6.3 | Create service account | 8 | | US-6.4 | Generate service account token | 5 | | US-6.5 | Service account permissions | 8 | | US-6.6 | ESO SecretStore provider | 13 | | US-6.7 | ESO ExternalSecret support | 8 | | US-6.8 | OIDC authentication | 13 | | US-6.9 | glab CLI secrets commands | 5 | | US-6.10 | Kubernetes workload identity | 8 | | US-6.11 | Rate limiting for external access | 3 | **Total Story Points:** \~84 ### Technical Requirements - New REST API endpoints - New models: `ServiceAccount`, `ServiceAccountToken`, `ServiceAccountPermission` - ESO provider development - OIDC configuration in OpenBao ### Non-Functional Requirements | Category | Requirement | |----------|-------------| | Performance | API response \< 200ms | | Scalability | 10K service accounts, 1K requests/sec | | Security | Token encryption, audit logging | | Availability | 99.9% API uptime | ### Effort Estimate - **Duration:** 3-4 months - **Team:** 3-4 engineers (3 BE, 1 Platform)