Bundle Vault with GitLab omnibus
Problem to solve
GitLab does not provide a secrets management solution at the moment, our users are on their own to find a solution like Vault and they have no guidance on how to use it in an ecosystem with GitLab.
This will be used by system administrators to install or define the Vault instance that GitLab interacts with, but services a broad cross-section of users. Security teams will be interested as it provides a mechanism for secure key management (see category page for overall strategic details and benefits.)
Installing Vault will modify the GitLab system requirements as described in the Vault documentation.
In the future, if GitLab is modified to depend on Vault for its own internal secrets, this installation may be made mandatory.
We will optionally install the open source version of Vault as part of the GitLab omnibus installation, similar to how we include Consul today. This will be a place for customers to store other secrets, unrelated to GitLab, as part of their own usage.
Alternatively, we would allow for using a customer's already in-place EE (or otherwise already existing) instance instead - the configuration on how to connect to the chosen Vault instance should be retained so that it can be used by future GitLab features since this installation will also be leveraged to build interesting features on top of, including potentially moving GitLab's own secrets into a more secure location, and allowing for CI integration with this Vault.
- We will also add documentation on how to get the most out of GitLab and Vault.
- HA will need to be considered, but HA will be considered part of the "bring our own" model for now.
We could also consider providing a Vault instance to users of gitlab.com, but this is a major separate effort being discussed in https://gitlab.com/gitlab-org/gitlab-ce/issues/61551.
Permissions and Security
In terms of this specific issue, the primary concern is ensuring we follow Vault documentation and install the server per the security configuration guidance. Features that are being implemented in relation to the Vault will need to ensure they are following security/Vault best practices.
We will need documentation on how to manage and use the Vault instance, similar to our Consul documentation. This should include details on how you can leverage GitLab and Vault together in a good way, even if there are no official product features leveraging it. If there are product features coming out at the same time, these should be referenced.
What does success look like, and how can we measure that?
We should measure usage of Vault (either configured or installed) by our users