Support reading defined CI/CD secrets from Vault server.
Extracted from gitlab#212252.
As the first step to make the secrets management better, we've decided that we will add support for defining and automatically pulling the secrets into CI/CD jobs variables from the Hashicorp Vault server. The work on GitLab side was finished, we now must add the missing support on the Runner side.
The initial proof of concept was implemented as part of the work on the initial issue, but it must be updated a little to match the changes done in the syntax proposal. Also, for now, we're limiting the support to only reading the secrets.
All of the discussion around designing the concept can be found at gitlab#212252 and related issues and MRs. And the implementation MR - that will be updated while working on the issue here - can be found at !2006 (closed).
TODO
-
!2371 (merged) (vendoring Go library for Hashicorp Vault) ⬇ -
!2288 (merged) (API structures update) ⬇ -
!2370 (merged) (basic secrets handling abstraction) ⬇ -
!2373 (merged) (Adding Vault client integration package) ⬇ -
!2374 (merged) (adding Vault secrets resolver; binding all things together)