Secret Management in Cells
Overview
What is GitLab Dedicated Doing:
Dedicated leverages GCP Cloud Key Management Service (KMS).
All secrets are unique per tenant.
Thus each GitLab installation has their own set of secrets and some configuration items are stored using that cloud providers secrets service.
The tooling to build a GitLab installation is aware of and shares only the necessary secrets between various stages.
What is GitLab.com doing right now:
.com leverages KMS already for simplistic items for as well as a wrapper for secrets management for Chef runs on Virtual Machines. Most secrets are pushed into Hashicorp Vault and various chunks of our infrastructure use this service for items that are shared between Virtual Machines and our Kubernetes installations.
Action Items
-
Understand better how secret management works in GitLab Dedicated. -
Decide on where HashiCorp vault and KMS are going to be used, and how they differ. -
Update What will GitLab.com do section.
Edited by Adeline Yeung