Track ID Token generation for Secrets Manager

We need to track the various metrics related to
feature usage for Secrets Manager. One of the
metrics is the generation of ID token for accessing the secrets manager.

We define the event and required metrics to track
the ID token generation. We trigger the event when
the ID token is generated in the ProjectSecretsManager.

[Issue](https://gitlab.com/gitlab-org/gitlab/-/issues/428871)

ee/app/models/secrets_management/project_secrets_manager.rb

@@ -2,6 +2,8 @@
 
 module SecretsManagement
   class ProjectSecretsManager < ApplicationRecord
+    include Gitlab::InternalEventsTracking
+
     STATUSES = {
       provisioning: 0,
       active: 1,
@@ -93,6 +95,7 @@ def ci_auth_type
     end
 
     def ci_jwt(build)
+      track_ci_jwt_generation(build)
       Gitlab::Ci::JwtV2.for_build(build, aud: self.class.server_url)
     end
 
@@ -269,5 +272,14 @@ def namespace_path
         project.namespace.id.to_s
       ].join('_')
     end
+
+    def track_ci_jwt_generation(build)
+      track_internal_event(
+        'generate_id_token_for_secrets_manager_authentication',
+        project: project,
+        namespace: project.namespace,
+        user: build.user
+      )
+    end
   end
 end

ee/config/events/generate_id_token_for_secrets_manager_authentication.yml

+---
+description: Generation of an ID token for a CI job to authenticate with Gitlab Native Secrets Manager to fetch a secret
+internal_events: true
+action: generate_id_token_for_secrets_manager_authentication
+identifiers:
+- project
+- namespace
+- user
+product_group: pipeline_security
+product_categories:
+- secrets_management
+milestone: '17.10'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/184062
+tiers:
+- ultimate

ee/config/metrics/counts_all/count_distinct_project_id_from_generate_id_token_for_secrets_manager_authentication.yml

+---
+key_path: redis_hll_counters.count_distinct_project_id_from_generate_id_token_for_secrets_manager_authentication
+description: Count of unique projects whose CI Jobs trigger ID token generation to fetch a secret from Gitlab Secrets Manager
+product_group: pipeline_security
+product_categories:
+- secrets_management
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.10'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/184062
+time_frame:
+- 28d
+- 7d
+data_source: internal_events
+data_category: optional
+tiers:
+- ultimate
+events:
+- name: generate_id_token_for_secrets_manager_authentication
+  unique: project.id

ee/config/metrics/counts_all/count_distinct_user_id_from_generate_id_token_for_secrets_manager_authentication.yml

+---
+key_path: redis_hll_counters.count_distinct_user_id_from_generate_id_token_for_secrets_manager_authentication
+description: Count of unique users starting CI Jobs that trigger ID token generation to fetch a secret from Gitlab Secrets Manager
+product_group: pipeline_security
+product_categories:
+- secrets_management
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.10'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/184062
+time_frame:
+- 28d
+- 7d
+data_source: internal_events
+data_category: optional
+tiers:
+- ultimate
+events:
+- name: generate_id_token_for_secrets_manager_authentication
+  unique: user.id

ee/spec/models/secrets_management/project_secrets_manager_spec.rb

@@ -91,4 +91,29 @@
       end
     end
   end
+
+  describe '#ci_jwt' do
+    let_it_be(:project) { create(:project) }
+    let_it_be(:secrets_manager) { build(:project_secrets_manager, project: project) }
+    let_it_be(:ci_build) { create(:ci_build, project: project) }
+    let_it_be(:openbao_server_url) { described_class.server_url }
+
+    subject(:ci_jwt) { secrets_manager.ci_jwt(ci_build) }
+
+    before do
+      allow(Gitlab::Ci::JwtV2).to receive(:for_build).with(ci_build, aud: openbao_server_url)
+      .and_return("generated_jwt_id_token_for_secrets_manager")
+    end
+
+    it 'generates a JWT for the build' do
+      expect(ci_jwt).to eq("generated_jwt_id_token_for_secrets_manager")
+    end
+
+    it_behaves_like 'internal event tracking' do
+      let(:event) { 'generate_id_token_for_secrets_manager_authentication' }
+      let(:category) { described_class.name }
+      let(:namespace) { project.namespace }
+      let(:user) { ci_build.user }
+    end
+  end
 end