Tech Evaluation: Bring your own Vault Integration
Problem to solve
In the large vision for HashiCorp Vault we want to provide users access to Vault as a part of their GitLab experience natively - for both GitLab.com and self-managed instances. As a long term implementation we are evaluating and refining requirements on two main issues:
- Bundling Vault with Omnibus - this would allow users with Self-managed instances to have an integrated Vault with their GitLab Instance
- Provide a single instance for GitLab.com - this would allow all users on GitLab.com to have a Vault instance with their GitLab account
We have a lot of different directions and ways to support users in their journey to use Vault for Secrets Management with GitLab.
As far as priorities go they are in this order:
- Support existing GitLab + Vault Users - "Bring your own Vault" (BYOV)
- Use Vault for Internal GitLab.com Secrets and Token
- Use Vault for Customers of GitLab.com Secrets Management Needs
- Support New Installations of Vault with Self-Managed Instances
We will use this issue to establish the best path forward to support users with existing Vaults in the immediate term (use case 1).
Further details
In #118624 (closed), we are evaluating the handling of secrets and tokens with the GitLab application. This can be the foundation for supporting use cases 2, 3, and 4. For some of our existing customers, their set up (#28321 (comment 269481081)) they do not want to have to use GitLab to store, administer, or update secrets - they want to defer all of this to Vault. As a result, we should investigate the most flexible way to support GitLab receiving tokens from Vault easily.
This has been presented in two issues: A) Identity API - where an API would identify which project/job a given Job Token belongs to (and is valid), then redirect users if token it not valid from the CLI
B) Allow a user to set up Vault in K8 - this would use the Vault Helm chart to install Vault but all configuration and managing of secrets would still be on the User and would likely require implementation of #118624 (closed) to manage token/key/secrets passing
Next actions
-
Get familiar with HashiCorp Vault and understand the issues link here -
Evaluate the easiest/quickest path to better support GitLab users that have a Vault with GitLab -
Create or update issues for implementation, add weights and close this issue