Add encrypted ldap secrets support

Merged DJ Mountney requested to merge ldap-secret-command into master

What does this MR do?

Add encrypted ldap secrets support

Adds a new ldap_secrets path setting for optional ldap secrets file. And adds a new set of ldap secrets rake commands for showing/editing an ldap secret

Adds support for loading ldap servers' password and/or user_bn from the encrypted secrets.

Part of #238483 (closed) and currently depends on !43220 (merged)


Users first need to ensure their secrets.yml has a encrypted_settings_key_base. This can be done by running a rake command with the optional generation opted int: bundle exec rake gitlab:env:info GITLAB_GENERATE_ENCRYPTED_SETTINGS_KEY_BASE=true

Then they can use the EDITOR=vim rake gitlab:ldap:secret:edit command to provide their ldap credentials. The expected input is to be yaml, with your credentials nested under your provider:

  password: 'my-password'
  user_bn: 'my/user/bn'

Users can also create the file without an editor by piping to stdin of the rake gitlab:ldap:secret:write command.

cat my-plaintext-creds.yml | rake gitlab:ldap:secret:write

And users can see the credentials via rake gitlab:ldap:secret:show

Does this MR meet the acceptance criteria?


Availability and Testing


If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Robert Speicher