GitLab Secrets Manager (OpenBao)

The GitLab Secrets Manager uses OpenBao, an open-source secrets management solution. OpenBao provides secure storage, access control, and lifecycle management for secrets used in your GitLab instance.

GitLab CI/CD jobs using secrets from the GitLab Secrets Manager must use GitLab Runner 18.6 or later.

OpenBao architecture

OpenBao integrates with GitLab as an optional component that runs in parallel to existing GitLab services.

• The Rails backend and runners connect to the OpenBao API through a load balancer.
• OpenBao stores data in PostgreSQL. The Helm chart configures OpenBao to store data in the main GitLab database by default.
• OpenBao gets the unseal key from a secret store.
• OpenBao reads the unseal key from a Kubernetes secret mounted by the Helm chart.
• OpenBao posts audit logs to the Rails backend when audit logs are enabled.

flowchart TB
    SecretStore[Secret store]
    PostgreSQL[PostgreSQL]
    LB[Load balancer]
    OpenBao[OpenBao active node]

    Rails-- Write secrets and permissions -->LB
    Runner-- Get pipeline secrets -->LB
    LB-->OpenBao
    OpenBao-- Get unseal key -->SecretStore
    OpenBao-- Store -->PostgreSQL

OpenBao runs with a single active node that handles all requests, and optionally multiple standby nodes that take over if the active node fails.

Install OpenBao

Prerequisites:

• You must have administrator access to the instance.
• You must be running GitLab 18.8 or later.
• You must have a Kubernetes cluster.

To install OpenBao, use the OpenBao Helm chart for Kubernetes deployments.

After installation, verify that OpenBao is working by following the GitLab Secrets Manager user documentation to test secret operations.

OpenBao resource requirements depend on your GitLab instance size and secret usage patterns.

Monitor your deployment and adjust resources as needed based on actual usage patterns.

CPU requirements

OpenBao CPU usage is primarily driven by:

• How often CI/CD jobs fetch secrets.
• How often the Secrets Manager is accessed through the GitLab UI.

Recommended number of CPU cores:

For example, testing a deployment with 100,000 secrets corresponded to 139 fetch operations per second. This assumes each secret is fetched by a CI/CD job approximately every 12 minutes, and OpenBao makes full use of its memory cache.

Memory requirements

OpenBao memory usage primarily depends on the number of projects where GitLab Secrets Manager is enabled. You should allocate at least 1 GB of memory per 200 projects, plus a safety margin of 1 GB.

Recommended memory allocation:

Storage requirements

Storage requirements for the PostgreSQL database depends primarily on the number of secrets. It takes about 13 KB to store a single version of a secret and the corresponding metadata.

Usage example:

• 100,000 secrets = ~1.5 GB
• 200,000 secrets = ~3 GB

Backup and restore

OpenBao data is stored in PostgreSQL and should be included in your regular GitLab backup procedures.

For detailed backup and restore procedures specific to OpenBao, see the OpenBao backup documentation.

High availability

For production deployments, consider:

• Running multiple OpenBao replicas for redundancy
• Using a highly available PostgreSQL backend
• Implementing proper monitoring and alerting

Health check and monitoring

OpenBao provides health check endpoints for monitoring:

• openbao.example.com/v1/sys/health: Returns the health status of OpenBao
• openbao.example.com/v1/sys/seal-status: Returns the seal status

You can integrate these endpoints with your monitoring system.

Performance issues

If you experience slow secret operations:

• Check OpenBao resource usage (CPU, memory)
• Verify PostgreSQL backend performance
• Check network latency between OpenBao and its PostgreSQL backend