[Spike] Encrypt non-Rails passwords stored in `gitlab.rb`
Overview
In #5589 (closed) and gitlab#238483 (closed) users are given the option of storing the LDAP password and other Rails configuration passwords in an encrypted file instead of in plain text in the GitLab configuration files. There are some remaining passwords that are stored in GitLab configuration files in plain text that are not part of the Rails code base and have not yet been addressed.
Problem to solve
While customers said that storing the LDAP password in plain text was their top concern, many customers indicated that they don't want any configuration passwords stored in plain text and would like a more secure solution for all of these passwords. The solution used to encrypt the Rails passwords will not work for non-Rails passwords.
Proposal
Implement a solution that eliminates the need to store the following passwords in plain text.
- gitlab_shell['http_settings']['password']
- postgresql['sql_replication_password']
- redis['password']
- redis['master_password']
- grafana['admin_password']
- grafana['metrics_basic_auth_password']
- praefect['database_password']
- geo_secondary['db_password']
- geo_postgresql['pgbouncer_user_password']
- pgbouncer['databases'][DATABASE_NAME]['password']
- postgresql['pgbouncer_user_password']
This may require a separate research spike and POC.