Secrets Management
Whenever possible we should avoid using secrets and instead rely on IAM service accounts and workload identity to get access to necessary resources.
There will likely be some cases where we do need secrets though. In those cases it likely makes sense to interface with our Hashicorp Vault setup.
Proposed Vault Setup
The following high level diagram shows the proposed setup of secrets within Vault, for consumption via runway. The general idea is a top level namespace (/runway
) will be made in Vault, with roles and policies such that
- Runway team members have full privileges over the namespace
- The runway provisioner running in CI at https://gitlab.com/gitlab-com/gl-infra/platform/runway/provisioner has the ability to create/modify/delete new service namespaces at
runway/env/$environment/service
. The environments currently needed aredev
,staging
, andproduction
- The runway reconciler service accounts and GitLab team members will need read only access to
runway/env/$environment/service/$runway_service_id
in order to read secrets for deployment - The runway reconciler will mirror secrets in Vault into Google Secrets Manager for consumption in Cloud Run via its native secrets integration
Tasks
-
Setup namespaces in Vault runway/env/dev/service
runway/env/staging/service
andrunway/env/production/service
-
Give provisioner running in ci at https://gitlab.com/gitlab-com/gl-infra/platform/runway/provisioner permissions/roles to create/update/delete under the above namespaces -
Setup new role in Vault for reconcilers to have RO access to namespaces above for their own $runway_service_id
-
Give provisioner running in ci at https://gitlab.com/gitlab-com/gl-infra/platform/runway/provisioner ability to assign GitLab projects (deployment projects at https://gitlab.com/gitlab-com/gl-infra/platform/runway/deployments) the ability to read runway/env/$environment/service/$runway_service_id
-
Modify runway reconciler to read secrets from Vault at runway/env/$environment/service/$runway_service_id
and create new GSM for each secret it finds (essentially mirroring them and their contents over) -
Modify runway reconciler to add GSM secrets for service to cloud run with secrets exposed as environment variables
Edited by Graeme Gillies