Add Vault installalation into Omnibus
Problem to solve
GitLab does not provide a secrets management solution at the moment, our users are on their own to find a solution like Vault and they have no guidance on how to use it in an ecosystem with GitLab.
Intended users
This will be used by system administrators to install or define the Vault instance that GitLab interacts with, but services a broad cross-section of users. Security teams will be interested as it provides a mechanism for secure key management (see category page for overall strategic details and benefits.)
Further details
Installing Vault will modify the GitLab system requirements as described in the Vault documentation.
In the future, if GitLab is modified to depend on Vault for its own internal secrets, this installation may be made mandatory.
Proposal
We will optionally install the open source version of Vault as part of the GitLab installation, similar to how we include Consul today. This will be a place for customers to store other secrets, unrelated to GitLab, as part of their own usage. Alternatively, we would allow for using a customer's already in-place EE instance instead - the configuration on how to connect to the chosen Vault instance should be retained so that it can be used by future GitLab features since this installation will also be leveraged to build interesting features on top of, including moving GitLab's own secrets into a more secure location, and allowing for CI integration with this Vault.
We will also add documentation on how to get the most out of GitLab and Vault.
We could also consider providing a Vault instance to users of gitlab.com, but this is a major separate effort being discussed in https://gitlab.com/gitlab-org/gitlab-ce/issues/61551.
Permissions and Security
In terms of this specific issue, the primary concern is ensuring we follow Vault documentation and install the server per the security configuration guidance. Features that are being implemented in relation to the Vault will need to ensure they are following security/Vault best practices.
Documentation
We will need documentation on how to manage and use the Vault instance, similar to our Consul documentation. This should include details on how you can leverage GitLab and Vault together in a good way, even if there are no official product features leveraging it. If there are product features coming out at the same time, these should be referenced.
Testing
What does success look like, and how can we measure that?
We should measure usage of Vault (either configured or installed) by our users