Some configurations can only be set via Environment variables

Summary

Some configuration items can ONLY be set via environment variables. This created a very inconsistent approach towards configuring running the software and depending on the type of configuration, could be dangerous to expose as an environment variable.

Improvements

⚠ This is not a full audit ⚠

The following environment variables can ONLY be configured via the environment. Some contain private information which would be better served via our gitlab.rb configuration procedure.

• GITLAB_CDN_HOST:
• GITLAB_GRAFANA_API_KEY: https://gitlab.com/gitlab-org/gitlab/-/blob/5b3df8b511be5e61717c8e0a23f5a95eb10bdff4/lib/gitlab/database/reindexing/grafana_notifier.rb#L8
• GITLAB_THROTTLE_USER_ALLOWLIST: https://gitlab.com/gitlab-org/gitlab/-/blob/fbc099e2c70b763acba945fa710a83591fa00a7a/lib/gitlab/rack_attack.rb#L167
• GITLAB_UPLOAD_API_ALLOWLIST: https://gitlab.com/gitlab-org/gitlab/-/blob/9b3a2afb286d2234c94aa58dbea1f584836fe399/lib/api/projects.rb#L57
• SUBSCRIPTION_PORTAL_ADMIN_EMAIL: https://gitlab.com/gitlab-org/gitlab/-/blob/532d53c48324c50dd55dcd506ab8f2a24615ae88/ee/lib/ee.rb#L11
• SUBSCRIPTION_PORTAL_ADMIN_TOKEN: 🛑 https://gitlab.com/gitlab-org/gitlab/-/blob/532d53c48324c50dd55dcd506ab8f2a24615ae88/ee/lib/ee.rb#L12

Risks

In Kubernetes, we handle placing secrets in a very specific way to limit the blast radius of an exposed environment: https://docs.gitlab.com/charts/architecture/decisions.html#preference-of-secrets-in-initcontainer-over-environment

As these items can only be configured via environment variables, we risk exposing some information.