Investigate various secrets solutions
Goal
Test Hashicorp Vault, Cyberark Conjur and Mozilla Sops.
We would like to have a better understanding on how to move forward with Sercrets Management within GitLab in general. One thing we know: we don't want to build the next secrets management engine.
We know that every user has secrets, and there does not seem to be a unique standard, market leading tool, like docker, to manage these secrets. Moreover, based on industry insights, it's much less likely that a company will change its secrets engine than it would change its SCM or CI engine.
Given the many insights available in issues, our visionary secrets management solution should support secrets at various levels of GitLab that are merged in the CI pipeline. Like, we need secrets at various group levels, at the project level and there might be even user secrets, and all of these coming together in the pipeline.
Based on the above, we would like to evaluate various solutions to see what might be the best fit for us to start with.
The Experience
Let's model the following user flow with the 3 solutions mentioned above (if possible):
- Specify secrets at the group level
- Specify secrets at the project level
- Deploy these secrets using the CI
- Use these secrets within the target environment (let it be a pod in a k8s cluster)
- How to make these integration easy to use?
Definition of done
-
Example project using Vault -
Example project using Cyberark -
Example project using SOPS -
Pros/cons writeup