Dynamically mask resolved vault variables
Release notes
Vault secrets fetched within gitlab-runner now mask themselves automatically within job console.
Problem to solve
- Sensitive secrets stored in Hashicorp Vault can be revealed by simply running the
cat
command.
Intended users
Delaney, the development team lead who might be extremely new to gitlab is experimenting with gitlab and trying to debug why a vault secret isn't showing up and accidentally cat the results.
User experience goal
- The user will see
*****
mask with Vault secrets and as a result know that the value in question is one that is retrieved from Hashicorp Vault. - The user begins to use the variable without
cat
-ing the results.
Proposal
-
Automatically mask resolved Vault variables in GitLab Runner.
- Step 1: track the incoming trace from job execution to the buffer.
- Step 2: match the trace against the collected patterns and replace found values with
[masked]
before sending the buffer to GitLab.
-
Since we have some masking limitations, in case it is impossible to mask the resolved variable, we should allow resolving this var as unmasked so we won't break any existing integrations.
-
If the variable is unmasked, we should print a warning to the logs.,
-
Deploy this feature behind a feature flag.
Risks
- Enabling masking for a secret of any arbitrary value, regardless of the length, may result in a significant increase in compute resources used by Runner on the host. This could lead to other problems exacerbated by high CPU and memory utilization.
Note: Per the risk described above, this feature needs to be tested to validate any potential performance impact (cpu, memory) on the Runner host.
What does success look like, and how can we measure that?
-
cat
a vault secret, does it show up in job log? not succesful.
Available Tier
Ultimate