Support GCP secret stores as alternative to Vault
Problem to solve
We plan to implement Vault as a secrets store bundled with GitLab, but some customers will prefer to use a GCP-provided service. GCP does provide Vault as one option, but also provides software (KMS) and hardware (HSM) key management.
Intended users
Many developer and operations users will interact with this feature, but the primary integrator will be security operations teams.
Further details
This will provide more flexibility to teams, ensuring that GitLab is valuable even when not using our bundled secrets solution.
Proposal
We should allow for configuration to select a different secrets provider apart from the default provided Vault one. This should be implemented in a way that
Permissions and Security
Implementing this feature will require a comprehensive security evaluation by @gitlab-com/gl-security/appsec. The goal here is to improve security available both to GitLab itself, for CI/CD pipelines, and for users who want to store secrets in general associated with projects under development in GitLab.