Bundle Vault with GitLab Omnibus
Problem to solve
GitLab does not provide a secrets management solution at the moment, our users are on their own to find a solution like Vault and they have no guidance on how to use it in an ecosystem with GitLab.
This will be used by system administrators to install or define the Vault instance that GitLab interacts with, but services a broad cross-section of users. Security teams will be interested as it provides a mechanism for secure key management (see category page for overall strategic details and benefits.)
Installing Vault will modify the GitLab system requirements as described in the Vault documentation.
In the future, if GitLab is modified to depend on Vault for its own internal secrets, this installation may be made mandatory.
We will optionally install the open source version of Vault as part of the GitLab omnibus installation, similar to how we include Consul today. This will be a place for customers to store other secrets, unrelated to GitLab, as part of their own usage.
Alternatively, we would allow for using a customer's already in-place EE (or otherwise already existing) instance instead - the configuration on how to connect to the chosen Vault instance should be retained so that it can be used by future GitLab features since this installation will also be leveraged to build interesting features on top of, including potentially moving GitLab's own secrets into a more secure location, and allowing for CI integration with this Vault.
- Added documentation on using GitLab and Vault together
- HA will need to be considered, but HA will be considered part of the "bring our own" model for now
We could also consider providing a Vault instance to users of gitlab.com, but this is a major separate effort being discussed in https://gitlab.com/gitlab-org/gitlab-ce/issues/61551.
Permissions and Security
In terms of this specific issue, the primary concern is ensuring we follow Vault documentation and install the server per the security configuration guidance. Features that are being implemented in relation to the Vault will need to ensure they are following security/Vault best practices.
We will need documentation on how to manage and use the Vault instance, similar to our Consul documentation. We have documented using GitLab and Vault authentication. Next, we can expand the documentation with the bundling of Omnibus.
- We need to be mindful on how environment variables are being used and redirecting secrets to use Vault
- We would want to make sure all secrets are supported in Omnibus
What does success look like, and how can we measure that?
We should measure usage of Vault (either configured or installed) by our users.