Migrate runners secrets in Chef to use Vault
As a first step in implementing the Chef secret management proposal https://gitlab.com/gitlab-com/gl-infra/reliability/-/issues/15966.
Migrate a small service (runners) to fetch secrets from Vault instead of GKMS.
-
Add cookbook-gitlab-runner
to the Vault config (MR: https://ops.gitlab.net/gitlab-com/gl-infra/config-mgmt/-/merge_requests/4848) -
Modifynot required ascookbook-wrapper-gitlab-runner
to fetch secrets from Vaultgitlab_secrets
has already been bumped to0.1.0
in all envs and supports hashicorp vault -
Update roles with the necessary config to use Vault secrets: -
decommissionedgprd-base-runner.json
(chatops - GKMS) -
decommissionedgstg-base-runner.json
(chatops - GKMS) -
build-trigger-runner-manager-gitlab-org.json
(chef-vault) -
build-runners-gitlab-org.json
(chef-vault) -
windows-ci-base-runner.json
(GKMS) -
ops-base-runner.json
+ops-base-runner-build.json
(GKMS) -
runners-manager-shared-gitlab-org.json
(GKMS) -
runners-manager-private.json
(GKMS) -
runners-manager-shared.json
(GKMS) -
runners-manager-saas-linux-medium-amd64.json
(GKMS) -
runners-manager-saas-linux-large-amd64.json
(GKMS) -
runners-manager-saas-linux-large-amd64-gpu.json
(GKMS)
-
Edited by Gonzalo Servat