Tech Evaluation: Re-try pipeline if secret is rotated in the middle of job
Topic to Evaluate
When looking at automatic rotation of secrets, I began to wonder if users have a job in a pipeline that retrieves a secret from a Key store and the key store automatically rotates the secret, what happens to the job? What happens to the pipeline? We need to investigate if we can proactively restart jobs/pipelines when keys are rotated in a Key Store.
Tasks to Evaluate
-
Test dynamic secrets in pipelines create a POC if necessary -
Manually and automatically rotate secrets from key store -
Evaluate what GitLab does and document that on https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/ -
Create issue for how to ensure pipelines run/aren't blocked when a secret rotates -
Weight issues
Risks and Implementation Considerations
Are there any considerations where we would want this to be configurable?
- Maybe people want a script for some jobs and not others?