HashiCorp's Vault is paving the way for OSS Secrets Management and many of our customers are leveraging the solution today. Vault lets you easily rotate secrets and can manage intermediate, temporary tokens used between different services. This ensures there are no long-term tokens lying around or commonly used. Vault minimizes GitLab's attack surface and protects against any unknown zero-day vulnerabilities in our Rails app today or those that allow a bad actor to access the Gitlab server by ensuring that GitLab does not hold any long term secrets.
There are three main secrets management use cases that Vault will solve for. These are as follows:
Operations, compliance, security, and audit teams will derive immense value from being able to manage secrets within GitLab. Vault will expand GitLab's security by offering an extra layer for tokens, keys, and other confidential data. This combination of tools will further establish GitLab's presence as an enterprise-grade, corporate solution for Release Management.
Now that we can effectively authenticate Vault with GitLab from gitlab#9983, and users can install Vault into a Kubernetes clusters via gitlab#9982, we are devoting more time to handling CI Variables from Vault. We will first enable users to authenticate into Vault by using a Java Web Token via gitlab#207125, which will be the first phase of successfull fetching and reading secrets from Vault to be instrumented in gitlab#28321.
This category is currently at the "Minimal" maturity level, and our next maturity target is "Viable": (see our definitions of maturity levels).
Key deliverables to achieve this are:
There are other secrets management stores in the market. There is a nice overview of Vault vs. KMS which contains a lot of information about why we believe Vault is a better solution for secrets management. We could consider in the future also supporting different solutions such as KMS.
Additionally, Vault Enterprise offers additional sets of capabilities that will not be part of the open source version of Vault bundled with GitLab. This includes replication across datacenters, hardware security modules (HSMs), seals, namespaces, servicing read-only requests on HA nodes (though, the open source version does support high-availability), enterprise control groups, multi-factor auth, and sentinel.
For customers who want to use GitLab with the enterprise version of Vault, we need to ensure that this is easy to switch to/use as well.
Adding a Vault instance to omnibus installations that can be used for customer secrets is the right first place to start. Additional features will be added on, but this will meet the goal of providing a secrets management solution with GitLab (omnibus-gitlab#4317).
Our most popular issue is managing Vault secrets inside Gitlab (gitlab#20306).
We are looking at including the Vault installation as part of the omnibus (omnibus-gitlab#4317) package, which comes for free bundled with GitLab. Having an installation guaranteed available serves as a foundation upon which we can build a deeper integration for moving GitLab's own secrets into Vault as well. Adding the same capability to gitlab.com is possible, but quite complex so is being researched in its own issue (gitlab-org#28584).
Expanding the prescriptive use cases for Vault in GitLab prior to investing in development effort is currently being considered in gitlab-org&2365.
Internally, once the Vault integration is available we can begin moving some of the secrets tracked internally in GitLab to the included Vault.
db_key_basesecret to be rotated
The MVC for migrating our internal secrets is being tracked in the epic to move GitLab's own secrets into Vault. Supporting GitLab internal secrets, does require the Vault integration being mandatory as part of the install first.
Secrets management is a must-have for enterprise-grade Release Governance. Adding a proper interface to Vault (gitlab#20306) embedded in GitLab, making it easier to interact with the Vault instance. This would also help bridge the gap between manual and automated action wihin the UI. The interface can be leveraged for all secrets, which would also be a competitive feature set for the Operations-centered and security minded buyers within the regulated space.