Integrate Vault to Gitlab CI and move secrets
Story points: 11 SP
Estimated focus duration (perfect conditions): 7 days
Estimated pessimistic duration (worst case scenario): 12 days
Description
Click to expand
After vault is production ready (https://gitlab.com/nunet/nunet-infra/-/issues/199) we can integrate it to Gitlab CI as a secrets backend (https://docs.gitlab.com/ee/ci/secrets/) and move secrets to be stored there. It also opens us to the possibility of using engines like SSH (https://developer.hashicorp.com/vault/docs/secrets/ssh) to have secrets rotated automatically.Note: it might be that many steps and actions defined here are already being done or already implemented. This isn't supposed to be a re-implementation of those, but it should integrate them in the broader context of the pipeline so that the foundation is solid.
Who
- @gabriel.chamon -- Migrating the CI secrets to Vault
- @umair-nunet -- Enable the Gitlab Vault integration
What
- Implement Gitlab Vault Integration
- Creation the Vault Adoption plan
- Enhance the vault documentation feeding in the feedback from team
How
- Upgrade Vault to incorporate the Gitlab integration
- Update the documentation on gitlab repo
- update FAQs
Why
- To adopt vault as secret management solution
When
- N/A
Acceptance Criteria
Click to expand
Work Breakdown Structure (WBS)
OBSOLETE
Task | Description | Duration | Status | Start Date | End Date | Comment |
---|---|---|---|---|---|---|
1 | Upgrade Vault | Done | ||||
2 | Test Gitlab integration for vault on a new test server (Umair) | Done | ||||
3 | Test & validate disaster recover (Umair) | Done | ||||
4 | Create & Document disaster recovery or maintenance plan (Umair) | Done | ||||
5 | Migrate CI secrets to vault (Gabriel) | 4H | Doing | 2024-06-07 | ||
6 | Provide feedback on the experience and documentation (Gabriel) | 4H | Doing | 2024-06-07 |
Edited by Gabriel Chamon