### Problem to solve GitLab is adding a per-instance Vault instance to Omnibus via https://gitlab.com/gitlab-org/gitlab-ce/issues/61548. We could also consider providing a Vault instance to gitlab.com users to store and manage their secrets as well. ### Intended users This will be used by system administrators to install or define the Vault instance that GitLab interacts with, but services a broad cross-section of users. Security teams will be interested as it provides a mechanism for secure key management (see [category page](https://about.gitlab.com/direction/release/secrets_management/) for overall strategic details and benefits.) Specifically, this will be users in this group who are also users of gitlab.com. ### Further details This could represent a significant change to compute/storage on gitlab.com. The [Vault documentation](https://learn.hashicorp.com/vault/operations/ops-reference-architecture#deployment-system-requirements) has details on what is required. It's unclear if we can create one mega-instance for GitLab or if we would need one per-customer. This would drive feasibility of including it as a free feature. ### Proposal With https://gitlab.com/gitlab-org/gitlab-ce/issues/61548 implemented, this is a incremental improvement but a complicated one. A proposal for using Vault at gitlab.com scale will need to be investigated by engineering to determine an appropriate path forward to provide this capability. From a product standpoint however we'd want to ensure parity with the managed instance version. ### Permissions and Security In terms of this specific issue, the primary concern is ensuring we follow Vault documentation and build our gitlab.com instance following their security configuration guidance. ### Documentation We will need documentation on how users can interact with their gitlab.com Vault instance. ### Testing <!-- What risks does this change pose? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? See the test engineering process for further guidelines: https://about.gitlab.com/handbook/engineering/quality/guidelines/test-engineering/ --> ### What does success look like, and how can we measure that? We should measure usage of Vault (either configured or installed) by our users ### Links / references