Enabling OpenBao (Development Only)
This guide is meant to target developers who want to enable the OpenBao integration with GitLab.
Prerequisites
- GitLab Ultimate (developer) license.
- A Kubernetes cluster with a public IP.
- A cert-manager installation (can be the cert-manager bundled with this chart).
Setup GitLab and OpenBao
Install/upgrade GitLab with your a developer license and enable OpenBao:
# Enable OpenBao integration global: openbao: enabled: true # Install bundled OpenBao openbao: install: trueInitialise OpenBao. Make sure to pass the correct namespace, release and external GitLab and OpenBao URLs.
export NAMESPACE=gitlab export RELEASE=gitlab curl -s "https://gitlab.com/gitlab-org/cloud-native/charts/openbao/-/blob/main/scripts/dev/init-bao.sh" \ | bash -s -- https://gitlab.example.com https://openbao.example.comFirst, the script initialises OpenBao and stores the unseal and root keys as Kubernetes secrets. Then, it sets up the authentication policies and revokes the original root token.
Enable the necessary feature flags in a rails console:
Feature.enable(:secrets_manager) Feature.enable(:ci_tanukey_ui)In GitLab, on the left sidebar, select Search or go to and find your project.
Select Settings > General.
Expand Visibility, project features, permissions.
Turn on the Secrets Manager toggle, and wait for the Secrets Manager to be provisioned.
Configuration
Configuring the database
By default, OpenBao connects to the main rails database with the same credentials and configuration.
If you want to use another database, you can override these settings:
openbao:
config:
storage:
postgresql:
connection:
host: "psql.openbao.example.com"
port: 5432
database: openbao
username: openbao
connectTimeout:
keepalives:
keepalivesIdle:
keepalivesInterval:
keepalivesCount:
tcpUserTimeout:
sslMode: "disable"
password: {}
# secret:
# key:Limitations
Current known limitations:
- OpenBao updates imply downtime.
- Certmanager must be installed before OpenBao, so Helm can locale the Certificate CRD.