Add group encryption keys
This MR is superseded by the following new MRs:
- !112545 (closed) Database
- !112547 (closed) Backend
- !112549 (closed) Frontend
What does this MR do and why?
Adds group encryption keys so each organization is able to en-/decrypt CI variables in the database with their own key. This resolves #378386 (closed)
The GroupEncryptionKey model holds the optional encryption key for each (root) group. If such a key exists, it is used to en-/decrypt all descendant CI variables of this group. Whenever the key for a group is changed, the values of all descendant CI variables are re-encrypted with the new key in a background job. The same happens when a group or a project is transferred to another root group.
Because the MR is quite large, it is currently split up into multiple commits. However, all changes are required for a consistent behavior. I plan to work on adding support for both the REST and GraphQL APIs and update the documentation in separate MRs.
Screenshots or screen recordings
The CI/CD Settings page of any root group / organisation:
How to set up and validate locally
- Visit any group CI/CD settings page such as
http://127.0.0.1:3000/groups/flightjs/-/settings/ci_cdand expand the "Encryption Key" panel. - Enter an encryption key for this group and save it.
- All variables in this group are now encrypted using the custom encryption key.
- To remove a custom encryption key and use the global/instance encryption key, leave the encryption key field empty and save it.
- All variables in this group are now encrypted using the global encryption key.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.