Create a unified tool to generate GitLab secrets
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem
This is a follow-up from https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2898+.
Different GitLab install methods deal with secret generation differently, as per DJ comment.
So the omnibus generates and also gitlab-secrets.json using gitlab-ctl reconfigure to produce the various secret files.
The helm charts do so using: https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/templates/shared-secrets/\\\_generate_secrets.sh.tpl
And source installs do so using the code built into the gitlab rails codebase itself.
I do think a common secret generator/handler would be ideal. And due to places it needs to be used, a gitlab_secrets gem is probably the best.
Reading the
gitlab.rbis problematic though, as it can have any ruby it in, so any script should only deal with reading structured secret files, and rely on reconfigure to pass it anything set in the gitlab.rb. That should still solve this issue though. As long as the setup relies on the contents of gitlab-secrets.json rather than secrets in gitlab.rb.
As explained by @grantyoung, GET also has to sync these secrets in-between deployments, which a unified tool to generate secrets could also help with. Additionally, Grant calls out to the challenge of not having a single source of truth for the secret file:
But it's also worth calling out the challenge of where the secrets live. This is more of a problem today as Gitaly is not yet ready for production in Kubernetes, and while progress is being made on that there will still be a long tail. Omnibus relying on a plaintext file is a problem in itself so for completeness sake it's perhaps worth considering options on if a SSoT location for the secrets is also worth exploring.
Discussion/Proposal - needs refinement
Explore solutions to implement the unified secret generation tool.
- Which programming language?
- How can it support Charts, Omnibus, Operator, and source installs?
- How could it make use of a SSoT secrets location?
Related topics
- Proposal: create a secret content validation sc... (gitlab-org/charts/gitlab#3223)
- Don't generate new secrets by default (#222690)
- https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/team/-/issues/5734+
- Add a secret generation command to gitlab-ctl (omnibus-gitlab#7701 - closed)
- Document gitlab-ctl generate-secrets command (omnibus-gitlab#8639)
- Support a key management system for GitLab secrets (&5517)
/cc @andrewn @cmiskell @grantyoung @mbruemmer @plu8 @rmarshall @WarheadsSE