Examine which secrets we can move to Vault from gitlab.rb
We are considering potentially bundling and using Vault for GitLab's secrets. Initially this is likely to focus on an integration with the Runner, but we should also explore if we can use this to more completely separate passwords and configuration in
gitlab.rb than what we could do with just encrypting the rails secrets: #3855. This could provide a method to truly separate configuration and passwords, a popular request: #2183
It would be interesting to go through the list of all secrets contained in
gitlab.rb and determine:
- If it could be moved into Vault
- If the consuming service could read directly from Vault, so it doesn't have to be stored elsewhere
We should also include secrets like the database encryption key, etc.