Revert "Secrets: Remove unused register_api_server setting" (#116004)

Revert "Secrets: Remove unused register_api_server setting (#113849)" This reverts commit 4ee2112ea4.
2026-02-03 20:49:50 -05:00 · 2026-01-09 11:01:46 +01:00 · 2026-01-09 11:01:46 +01:00 · a56fa3c7b5
commit a56fa3c7b5
parent f5f9a66fa8
5 changed files with 30 additions and 0 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@ -2234,6 +2234,8 @@ encryption_provider = secret_key.v1

 # These flags are required in on-prem installations for GitSync to work
 #
+# Whether to register the MT CRUD API
+register_api_server = true
 # Whether to create the MT secrets management database
 run_secrets_db_migrations = true
 # Whether to run the data key id migration. Requires that RunSecretsDBMigrations is also true.
--- a/conf/sample.ini
+++ b/conf/sample.ini
@ -2123,6 +2123,8 @@ default_datasource_uid =

 # These flags are required in on-prem installations for GitSync to work
 #
+# Whether to register the MT CRUD API
+;register_api_server = true
 # Whether to create the MT secrets management database
 ;run_secrets_db_migrations = true
 # Whether to run the data key id migration. Requires that RunSecretsDBMigrations is also true.
--- a/pkg/setting/setting_secrets_manager.go
+++ b/pkg/setting/setting_secrets_manager.go
@ -36,6 +36,8 @@ type SecretsManagerSettings struct {
 	// How long to wait for the process to clean up a secure value to complete.
 	GCWorkerPerSecureValueCleanupTimeout time.Duration

+	// Whether to register the MT CRUD API
+	RegisterAPIServer bool
 	// Whether to create the MT secrets management database
 	RunSecretsDBMigrations bool
 	// Whether to run the data key id migration. Requires that RunSecretsDBMigrations is also true.
@ -64,6 +66,7 @@ func (cfg *Cfg) readSecretsManagerSettings() {
 	cfg.SecretsManagement.GCWorkerPollInterval = secretsMgmt.Key("gc_worker_poll_interval").MustDuration(1 * time.Minute)
 	cfg.SecretsManagement.GCWorkerPerSecureValueCleanupTimeout = secretsMgmt.Key("gc_worker_per_request_timeout").MustDuration(5 * time.Second)

+	cfg.SecretsManagement.RegisterAPIServer = secretsMgmt.Key("register_api_server").MustBool(true)
 	cfg.SecretsManagement.RunSecretsDBMigrations = secretsMgmt.Key("run_secrets_db_migrations").MustBool(true)
 	cfg.SecretsManagement.RunDataKeyMigration = secretsMgmt.Key("run_data_key_migration").MustBool(true)

--- a/pkg/setting/setting_secrets_manager_test.go
+++ b/pkg/setting/setting_secrets_manager_test.go
@ -171,6 +171,28 @@ domain = example.com
 		assert.Empty(t, cfg.SecretsManagement.ConfiguredKMSProviders)
 	})

+	t.Run("should handle configuration with register_api_server disabled", func(t *testing.T) {
+		iniContent := `
+[secrets_manager]
+register_api_server = false
+`
+		cfg, err := NewCfgFromBytes([]byte(iniContent))
+		require.NoError(t, err)
+
+		assert.False(t, cfg.SecretsManagement.RegisterAPIServer)
+	})
+
+	t.Run("should handle configuration without register_api_server set", func(t *testing.T) {
+		iniContent := `
+[secrets_manager]
+encryption_provider = aws_kms
+`
+		cfg, err := NewCfgFromBytes([]byte(iniContent))
+		require.NoError(t, err)
+
+		assert.True(t, cfg.SecretsManagement.RegisterAPIServer)
+	})
+
 	t.Run("should handle configuration with run_secrets_db_migrations disabled", func(t *testing.T) {
 		iniContent := `
 [secrets_manager]
--- a/scripts/grafana-server/custom.ini
+++ b/scripts/grafana-server/custom.ini
@ -41,5 +41,6 @@ host = localhost:7777
 developer_mode = true ; Enable developer mode to use in-memory implementations of 3rdparty services needed.

 [secrets_manager]
+register_api_server = true
 run_secrets_db_migrations = true
 run_data_key_migration = true