Manage Vault secrets using GitLab UI
Provide easy access to Vault Secrets Management portal from GitLab
Create issues for UI management of
Read Write From the UI
Important note: This issue is about interacting with a Vault instance using the GitLab UI; installing a Vault instance for you, or managing secrets that are not used by GitLab CI/CD. For use of GitLab CI/CD with Vault, please see #28321 (closed).
Description
We manage secrets with project level and group level secret variables (environment variables) as well as service keys at the instance level. There are advantages to using something purpose-built for this, such as Vault, which we plan to bundle with GitLab ( omnibus-gitlab#4317 (closed)). Since Vault has a smaller attack surface vs. GitLab, our customer's secrets will be safer here.
Connecting to Vault for any variable will automatically ensure variable rotation within Vault, supporting Dyanmic Secrets effortlessly while minimizing our attack surface.
Context from product scaling agenda: https://docs.google.com/document/d/1nMJzrDfG7C14WP5v7P226oPFuXkwqIk7bdIT8ai0DNU/edit?ts=5d84fb07&skip_itp2_check=true&pli=1#bookmark=id.5yw2r2j9qbtb
Proposal
This MVC is at its core about adding an interface to that Vault from within GitLab. We should add a new page (perhaps to Operations) that exposes variables from Vault and allows for basic management. Specifically, providing a window into secrets that are stored there that are not otherwise related to GitLab which would otherwise never be surfaced.
This is important because there are going to be other kinds of variables in GitLab that are backed by Vault; GitLab internal ones (https://gitlab.com/gitlab-org/gitlab-ce/issues/61632), GitLab runner/CI ones, and possibly more.
The accessor token will need to be determined - it should be specific as possible (probably logged in user?) and not a generic "GitLab" access. https://gitlab.com/gitlab-org/gitlab-ce/issues/61551 will make comparing users between GitLab and Vault easier.
Links / references
Customers
- https://gitlab.my.salesforce.com/0016100000eNZxz
- https://gitlab.my.salesforce.com/00161000006fkPe
- https://gitlab.my.salesforce.com/00161000004yxj9
- https://gitlab.my.salesforce.com/00161000004xJHk
- https://gitlab.my.salesforce.com/00161000004xTAv
- https://gitlab.my.salesforce.com/00161000004yLEy
- https://gitlab.my.salesforce.com/00161000003RIGC
- https://gitlab.my.salesforce.com/0016100001SqEqw
- https://gitlab.my.salesforce.com/00161000002xBaT
- https://gitlab.my.salesforce.com/00161000017upDb
- https://gitlab.my.salesforce.com/00161000003RIGCAA4
- Unnamed DoD customer
- Unnamed US intelligence community customer