[Cells 1.0] (Size: S) Decide what to do with `encrypted_settings_key_base`
First introduced in d33611a6
Usage:
The base key to encrypt settings files with
Decide what to do with this secret with respect to Cells.
Secret files encrypted with encrypted_settings_key_base: https://docs.gitlab.com/ee/administration/encrypted_configuration.html
| Feature | Proposal | Questions |
|---|---|---|
Incoming email user and password. |
The email account credentials should all be the same for all Cells since I assume all Cells would connect to the IMAP server and process only the emails that are related to resources owned by them. Decision: "For incoming email, see #442161 (comment 1828026768), we decided to either have per-cell mailroom, or disable it entirely for Cells 1.0".
|
Could this introduce performance concerns if all Cells connect to the same email account? |
LDAP bind_dn and password |
I think LDAP isn't enabled on GitLab.com so we shouldn't care about this. At some point, we could allow LDAP to be configured per-cell if a cell only host a single organization, but I doubt this is actually a good thing, and customers should probably go with Dedicated if they need LDAP. | |
Service Desk email user and password |
Same reasoning as for Incoming email. | I guess on GitLab.com, the Service Desk email configuration is the same as the Incoming email one? |
SMTP user_name and password |
Same reasoning as for Incoming email. |
Latest proposal (2024-09-26)
Based on https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/team/-/blob/main/runbooks/custom-smtp.md#sharing-smtp-credentials-in-a-multi-tenant-environment, I think the SMTP credentials won't be set through an encrypted file, but directly in the tenant model config file. That means we shouldn't worry about the value of encrypted_settings_key_base here as we basically don't/won't use this feature (i.e. encrypted config files) on GitLab.com/Cells.
Click to see the previous proposals
2024-09-17
All credentials stored in the encrypted should be the same, but the encrypted_settings_key_base key itself can be different on each cell as it's only used locally in a cell to decrypt the .yml.enc files.