Examine which secrets we can move to Vault from gitlab.rb
We are considering potentially bundling and using Vault for GitLab's secrets. Initially this is likely to focus on an integration with the Runner, but we should also explore if we can use this to more completely separate passwords and configuration in gitlab.rb
than what we could do with just encrypting the rails secrets: #3855. This could provide a method to truly separate configuration and passwords, a popular request: #2183 (closed)
It would be interesting to go through the list of all secrets contained in gitlab.rb
and determine:
- If it could be moved into Vault
- If the consuming service could read directly from Vault, so it doesn't have to be stored elsewhere
We should also include secrets like the database encryption key, which is stored in gitlab-secrets.json
.
Edited by Joshua Lambert