Manage Vault secrets using GitLab UI
Important note: This issue is about interacting with a Vault instance using the GitLab UI; installing a Vault instance for you, or managing secrets that are not used by GitLab CI/CD. For use of GitLab CI/CD with Vault, please see https://gitlab.com/gitlab-org/gitlab-ce/issues/61053.
Description
We manage secrets with project level and group level secret variables (environment variables) as well as service keys at the instance level. There are advantages to using something purpose-built for this, such as Vault, which we plan to bundle with GitLab (omnibus-gitlab#4317 (closed)). Since Vault has a smaller attack surface vs. GitLab, our customer's secrets will be safer here.
This item is related to https://gitlab.com/gitlab-org/gitlab-ee/issues/7569, which introduces more dyamic secrets/credential rotation.
Proposal
This MVC is at its core about adding an interface to that Vault from within GitLab. We should add a new page (perhaps to Operations) that exposes variables from Vault and allows for basic management. Specifically, providing a window into secrets that are stored there that are not otherwise related to GitLab which would otherwise never be surfaced.
This is important because there are going to be other kinds of variables in GitLab that are backed by Vault; GitLab internal ones (https://gitlab.com/gitlab-org/gitlab-ce/issues/61632), GitLab runner/CI ones, and possibly more. We need to confirm we do not duplicate the efforts of https://gitlab.com/gitlab-org/gitlab-ee/issues/7569 (automatic key rotation/dynamic secrets) or https://gitlab.com/gitlab-org/gitlab-ce/issues/61053 (Vault for CI variables). There will be specific functionalities to each of these, but we should not end up with three different ways to interact with the embedded Vault.
The accessor token will need to be determined - it should be specific as possible (probably logged in user?) and not a generic "GitLab" access. https://gitlab.com/gitlab-org/gitlab-ce/issues/61551 will make comparing users between GitLab and Vault easier.
Links / references
Customers
- https://gitlab.my.salesforce.com/00161000006fkPe
- https://gitlab.my.salesforce.com/00161000004yxj9
- https://gitlab.my.salesforce.com/00161000004xJHk
- https://gitlab.my.salesforce.com/00161000004xTAv
- https://gitlab.my.salesforce.com/00161000004yLEy
- https://gitlab.my.salesforce.com/00161000003RIGC
- https://gitlab.my.salesforce.com/0016100001SqEqw
- https://gitlab.my.salesforce.com/00161000002xBaT
- Unnamed DoD customer
- Unnamed US intelligence community customer