►
Description
doc - https://docs.google.com/document/d/1jh_hRvhaYBx9ENPmmnZ4e34QOc9-3oHKvA5aog22aio (internal)
issue - https://gitlab.com/gitlab-com/gl-infra/reliability/-/issues/15447
A
B
B
B
B
B
B
C
B
A
B
So
this
means
that
even
if
we
have
data
that
is
stored
in
disk
exposed
somewhere
publicly,
it
doesn't
matter
because
data
is
always
encrypted
in
in
a
in
a
like
a
combined
way.
We
need
kms
from
gcp
and
plus
other
tokens
to
actually
unseal
the
data
so
that
we
can
access
it,
and
there
is
some
details
in
this
link
here
and
now
you
can
see
how
shamir
keys
works.
B
We
don't
have
a
root
token,
so
it's
not
possible
to
have
like
an
admin
token
for
everything
we
remove
it.
After
bootstrapping,
we
do
have
recovery
keys
that
are
stored
in
one
password
that
we
can
use
to
recover
from
snapshots.
In
case
there
is
a
full
region
outage.
We
can
easily
take
data
from
gcs
and
bootstrap
the
service
somewhere
else,
but.
A
The
lack
of
ik
is
mostly
becoming
is
just
to
get
all
token
again
like
if
we
yeah.
This
is
the
scenario
you
use
the
kiloway
key
to
get
a
wood
token
and
you
can
use
the
token
to
there
is
no
snapshot
if
you
want
yeah,
but
the
restoring
from
squash
is
just
initialize
again,
and
so
you
get
a
new
token
from
that.
And
then
you
first
restore
the
subject
toy
store,
which
will
yeah
put
your
data
back,
and
you
are
good
to
go.
A
B
Yeah
thanks,
so
the
general
way
the
cluster
is
set
up
is
is
deployed
by
helm
in
in
kubernetes,
but
all
the
configuration
comes
from
terraform
so
run
everything
from
roles,
policies
and
everything
is
in
is
in
an
environment
in
config
management,
and
there
is
a
link
for
the
the
folder
in
terms
of
secret
structure.
We
only
have
key
value
back
ends
for
now
to
mimic
what
we
currently
have
with
gkms
and
and
other
stuff
that
we
are
using
in
different
tools.
B
B
C
Just
just
quickly
on
this,
like
often
we
have
the
same
secret
like
to
me,
I'm
not
sure
I
I
I'm
not
sure
I'm
assuming
this
is
done
like
this.
As
you
said,
more
about
role-based
access
permissions
but
like
are
we
gonna
have
this
situation
where
you
have
two
secrets
that
are
the
same
thing,
but
have
to
go
in
different
parts
like
to
me.
That
seems
more
complicated.
If
you
know
what
I
mean
is
this
the
only
way
we
can
kind
of
yeah,
okay.
A
C
This
is
not.
This
can
be
changed
obviously,
and
we
can
figure
it
out
all
I'm
thinking
about.
Is
we
don't
want
a
situation
where
it's
like?
Oh
here's
a
password
or
we
want
to
try
and
avoid
a
situation
where
it's
like
here's
a
password.
You
actually
have
to
update
it
three
times
in
vault,
because
different
things
are
using
what
is
the
same
password
so
but
yeah.
I
appreciate
that,
like
name
spacing
at
that
way
means
you
can
say
this
ci
job
can
access
that
or
this
kubernetes
cluster.
C
So
I
don't
know
play
around
with
that
think
about
how
you
can
kind
of
if
you
can
get
it
to
the
point
where,
even
if
it's
just
like
here
is
the
secrets,
like
a
production,
here's
the
secret,
but
we
can
like.
I
don't
know
if
we
can
do
roles
so
that
we
can
have
ci
and
jobs
and
communities
classes
accessing
the
one
secret,
because
I
think
a
big
thing
here
is
obviously
for
the
whole
point.
Part
of
the
big
work
on
this
project
is
a
single
source
for
secrets
right.
C
So
we
we
want
to
try
and
push
that
as
much
as
possible,
where
we
can,
with
the
the
opportunities
are
made
available
to
us.
It
could
also
be,
I
think
I
think
you
probably
need
to
like.
We
need
to
document
and
investigate
the
the
variables
we
use
in
general,
like
there
are
some
that
are
just
used
for
ci,
and
there
are
some
that
I
use
see
it's
tricky
because
it's
almost
like
you
want
to
define
sorry.
B
B
B
Kubernetes
and
we
have
authentication
with
the
cluster
based
on
on
service
accounts
and
native
kubernetes
authentication
and
with
gitlab
using
jwt,
and
this
is
how
we
integrate
with
ci
drums
and
and
then
app
role,
which
is
kind
of
like
token
based,
and
we
only
use
it
for
provisioning.
At
the
moment.
We
don't
use
it
for
anything
else
and
next
I'll
go
over.
Some
examples.
Merge
requests
where,
for
example,
this
is
not
a
merge
request,
but
this
is
how
it
generally
works
in
ci
with
the
native
integration
using
the
secret
feature.
B
B
C
B
The
variables
here
yeah,
so
this
is
templated
with
the
with
the
json
added
with
stuff
that
we
have,
and
here
we
will
just
be
like,
for
example,
the
author
will
be
named
after
the
repo
and
then
just
read
only
read
write
token
and
so
on,
and
this
is
the
ci
jwt
token.
So
we
are
using
the
the
native
gitlab
ci
token
dot
indicate
with
volt
and
just
to
show
how
it
looks
on
the
other
side,
environment,
vault,
roll
skate,
lab.
B
B
B
B
B
B
In
the
same
way,
the
terraform
was
updating
obtaining
its
credentials,
which
is
using
the
the
vault
authentication
path
is
going
to
use,
which
is
the
gitlab
authentication
backhand,
which
role
and
then
the
the
ci
job,
and
this
allows
us
then
to
execute
anything
with
with
volts
that
that
role
allows
and
for
helm
files.
Here
we
are
using
the
native
integration,
which
is
just
a
reference
vault
and
then
the
path
of
the
secret.
A
C
No
it's
it
is,
it
is
stain.
I
I
did
look
at
this
back
in
the
day
and
you're
right,
it's
poorly
documented
it
wraps
around.
So
this
is
functionality
in
helm
file
not
in
helm,
so
helm
file
is
pulling
the
secret
and
passing
it
as
a
plain
text
value
to
helm
itself.
It
uses
sops
mozilla's
sops
project,
which
is
the
format
you've
got
to
follow.
So
if,
if
people
are
looking
for
how
the
format
works,
you
go
to
the
mozilla
stops,
project
is
usually
the
best
but
yeah
it
it
it's.
C
It
has
had
work
to
it
done
to
it,
like
they've
expanded
the
secrets
back
in,
so
I
don't
think
it's
going
away,
but
yeah.
I
agree.
I
don't
know
why
it's
the
documentation
for
helm
file
in
general
actually
is
quite
poor,
though
I
think
they're
going
to
fix
it
up
now
that
they've
moved
the
project
into
a
standard,
its
own
github
organization.
A
B
It
completely
removes
secret
handling
from
ci,
and
in
this
case
we
are
using
external
secrets,
which
is
a
kubernetes
operator
that
basically
has
a
bunch
of
crts
custom
resources
in
terraform
in
kubernetes,
where
it
directly
connects
to
volt
and
and
injects
the
secrets
in
kubernetes
directly
for
us.
So
in
this
method,
we
no
longer
need
ci
to
handle
secrets,
and
there
is
a
many
different
ways
of
us
connecting
to
vote
grabbing
the
cigarettes,
and
this
is
what
makes
it
a
good
fit,
because
it's
very
flexible
on
how
we
can
connect
to
it.
B
We
are
generating
a
secret
store,
which
is
basically
telling
external
secrets,
which
provider
to
look
for
secrets,
and
in
this
case
it's
volt.
We
are
giving
it
defaults
address,
which
path
is
going
to
use,
which
version
of
key
value
back
end.
It
uses.
You
know
if
you
want,
v1
doesn't
have
versioning
and
we
true
as
versioning.
B
That's
basically
the
only
difference,
and
then
we
just
tell
it
how
to
authenticate,
and
we
will
be
using
its
native
service
account
for
for
the
namespace
with
kubernetes,
where
it's
going
to
authenticate
and
the
role
and
the
service
account
it
uses
and
for
external
secrets.
This
is
what
actually
tells
external
secrets
provider
where
to
look
for
things.
So,
basically
we
are
telling
you
to
use
that
secret
store.
B
C
B
C
C
C
Yeah,
well,
that's
what
I'm
I'm
trying
to
understand.
Can
we
move
the
secret
store
objects
into
like
the
helm
file
for
vault?
So
when
you
deploy
volt,
oh
wait.
No,
that's
not
gonna
work.
How
are
you
doing
it
at
the
moment
in
say,
staging
where
you've
got
like
four
kubernetes
clusters
to
all
of
the
clusters.
B
C
C
C
We
don't
want
correct
me.
If
I'm
wrong,
we
probably
don't
want
secret
store
objects
to
live
along
alongside
the
apps
like
here's
their
deployment,
here's
their
service,
we
don't
want
them
specifying
their
own
secret
store
right,
because
it
sounds
like
no
matter
what
they
say
that
they
can
just
say.
Here's
just
I'm
going
to
define
a
secret
store
that
gives
me
access
to
everything
right.
Well,
you
still
not
going
to
work.
C
A
A
B
C
C
Okay,
that
that
is
the
part
I'm
missing,
in
which
case
then
that's
fine,
like
I'm
just
trying
to
understand.
How
do
we
say
this
app
has
access
to
these
secrets,
like
we
define
that
somewhere
versus
a
developer,
just
being
able
to
define
what
whatever
they
want
kind
of
thing?
Is
there
a
split
there?
We
can.
C
Yeah,
okay,
okay!
So
basically
we're
saying
that
service
account
for
gitlab
web
can
access
these
secrets.
But
the
actual
configuration
of
the
secret
store
object
has
no
real,
like
that's
just
telling
you
where
to
find
the
secrets
and
who
define
it
as,
but
it's
not
actually
controlling
permissions
of
that
yeah.
B
C
Think
that
makes
sense
yeah,
okay,
so
yeah,
I
think
the
difference
is,
and
maybe
this
was
when
I
looked
at
external
secrets-
and
this
was
years
ago
back
when
I
was
it
was
still
under
godaddy
before
it
was
its
own
project
it.
The
model
was
I'm
not
even
sure
if
there
was
a
secret
store
cid,
it
was
the
external
secrets.
Controller
runs
as
a
service
account,
and
you
know
it
just
had
access
to
kind
of
like
whatever
you
wanted.
C
So
it
was
like
you
had
to
be
careful
of
what
people
were
setting
up
as
secrets
if
it
makes
sense,
but
it
sounds
like
they
may
have
fixed
that
or
maybe
not
fixed
that
but
re-architected
it
so
that
it
now
the
controller
is
still
making
requests
on
behalf
as
the
actual
user
that
we
expect
them
to.
So
there's
no
way
for
a
user
to
create
crd
objects
to
grain,
access
to
something
they're
not
allowed
to
access.
B
B
B
C
Yeah
so
that
so
yeah,
so
I'm
pretty
familiar
with
this
so
yeah.
So
it's
saying
that
so
that's
on
the
secret
store
object
right,
so
you're
saying
is
the
secret
store.
This
is
the
secret
store
log
me
the
service
account
in
this
kubernetes
cluster
myself.
My
web
app
service
account
log
me
into
volts
at
this
authentication
path,
and
then
you
have
to
specify
the
role
that
you're
trying
to
log
in
as
and
then
it'll
give
you
excess
or
deny
based
off.
You
know
if
you
actually
have
access
to
that
role.
B
C
B
C
B
C
Sure,
no,
I
I
said
I
was
confused.
I
what
I
thought
a
secret
store
object
was
was
just
basically
defining
if
the
whole
cluster
could
kind
of
access
secrets.
Now
I
can
understand
its
request
based
off
the
service
account
itself,
then
that
that
makes
more
sense.
I
think
I
think
for
apps.
This
is
how
I
see
it,
and
it
said
this
is
this
is
my
opinion
and
you
know
I'm
happy
to
change
it
for
so
there's
two
kind
of
layers
right
for
the
apps
upwards,
so
you
can
consider
the
gitlab
web
app.
C
You
can
consider
like
design.gitlab.com
all
of
the
bits
and
pieces.
I
think
we
probably
want
a
secret
store
per
app
because
their
developer
groups
are
going
to
be
they're
different
people
and
what
they
have
access
to
is
different
below
that.
So,
like
console
elasticsearch
fluentd,
all
those
you
could
do
one
per
app
as
well
or
you
could
just
have
like
a
global
infrastructure
one.
If
you
really
want.
Let's
get
it's
up
to
to
you
guys,
I
could
see
it
just
to
try
and
reduce
complexity.
A
B
Duplicate
secrets
so
that
we
don't
have
to
update
him
in
multiple
places
and
so
on,
because
we
can
make
it
as
simple
as
we
want
or
as
complicated
as
we
yeah,
because
it's
it's
really
flexible
with
with
the
policies-
and
this
is
the
external
secret
that
it's
creating
so
he's
just
pointing
to
the
secret
store,
store.
Yeah.
C
That
makes
sense
yeah
yeah.
We
will
do
this
yeah.
We
will
do
this
for
git
labcom.
So
what
I,
what
I'll
probably
do
is
when,
obviously,
when
this
is
all
ready
to
roll,
we
will
just
use
we
in
our
helm
release
well
we're
we're
changing
the
gitlab
com
repo
over
the
coming
months,
but
we
will
essentially
just
create
pure
secret
objects
and
sorry
pure
external
secret
objects,
and
just
rely
on
the
controller
to
sync
that
across
and
we
won't
because
we
can't
we
don't
want.
I
mean
we
can
all
agree.
B
C
Also
permissions
right
because,
like
we
want
like
for
us
now,
it's
for
everyone
on
this
call
who's
sres,
like
we
get
permissions
to
do
whatever
we
want
doesn't
matter,
but
you
know
we're
trying
to
move
any
actual.
Gitlab
developers
want
to
be
able
to
work
in
the
repos
a
lot
more
and
work
in
ci
pipelines
and
actually
see
the
ci
pipelines,
which
means
we
have
to
get
all
the
permissions
from
the
security
out
of
them.
B
I
was
gonna
get
to
that,
and
this
is
what
is
so
great
about
it.
Like
we
don't
care,
it
can
be
down
the
only
blocker
like
you.
You
can
see
a
vault
being
down
as
the
same
as
like
ci
being
down,
because
if
volt
is
down,
then
ci
probably
can't
grab
the
secrets
right,
but
in
this
case
we
don't
really
care
because
the
operator
syncs
the
secrets
from
volt
to
native
kubernetes
secrets.
B
So
if
vault
is
down,
not
nothing
happens
right
just
you
won't
be
able
to
update
secrets,
but
you
can
always
go
and
change
them
directly
in
kubernetes
until
you
fix
vault
or
anything
like
same
as
before,
right
like
if
jkms
is
down.
What
can
you
do
because
we
are
leveraging
native
kubernetes
secrets,
so
this
is
just
a
way
to
bring
them
from
vault
and
apply
them
in
kubernetes.
C
B
All
right
so
I'll
I'll
just
quickly
demo
like,
for
example,
here
we
have
a
my
key
with
value
test2,
but
if
we
go
to
version
one,
we
can
see
it
just
tests.
So
if,
if
we
go
to
the
external
secret,
I
just
reduced
the
refresh
interval,
but
it
doesn't
really
matter.
This
can
be
useful
in
cases
where
we
want
to
pull
stuff
dynamically
from
vault
and
update
it.
Whatever
time
we
can
just
also
just
disable
it,
and
it
will
only
update
when
we
change
the
spec
of
the
of
the
secret.
B
B
B
C
Can
we
actually
enforce
that
you
can't
update
a
new
secret
name
and
get
you
a
new
secret
version,
so
at
least
for
us,
we
would
really
like
to
to
basically
force
that
you
have
to
create
a
new
secret
object
with
the
new
secret
version,
with
a
secret
name
like
we
do
now,
simply
because,
like
in
the
case
of
the
gitlab
chop,
at
least,
if
you
change
the
secret
out,
underneath
it
pods
aren't
reloaded
and
everything,
and
it's
like
we.
We
like
the
more
deliberate
workflow
where
you
have
to
do
a
merge
request,
saying
gitlab
pods.
C
C
C
C
C
B
C
C
Yeah,
I
think
I
think
what
we
want
to
do
is
just
like
static
analysis
at
ci
time
right.
So
that
way
you
can
give
feedback
to
the
user.
This
has
failed,
and
this
is
why,
or
you
know,
define
a
library
even
if
it's
running
up
or
underneath
or
something
like
I
just
you
know,
on
the
stand
alone,
to
validate
that.
That
makes
sense.
B
B
There
is
an
official
vault,
ruby
library,
so
we
can
do
the
same
thing
as
we
currently
do
with
kms,
where
we
just
source
the
secrets
from
an
external
library
same
thing
for
ansible
there
is
a
community
module
where
we
can
use
the
same
kind
of
authentication
methods
we
use
here
like
native
gcp
and
so
on,
so
that
we
don't
have
to
rely
on
static
service
account
keys
like,
for
example,
this
will
rely
on
im
so
that
we
don't
have
to
have
manual
tokens.
Well,
we
don't
want
to
have
secrets
to
access
secrets.
C
D
C
B
B
D
B
D
B
Yeah,
like
we
are
trying
to
deliberately
not
use
it
as
I'd
say,
a
dependency
of
runtime
like
that's.
Why
we
have
this
approach
with
external
secrets
where,
because
you
can
use
volt
agent
also
in
kubernetes
and
the
application
will
read
directly
from
the
vault
agent,
but
we
don't
have,
we
don't
want
to
have
a
hard
dependency
on
vault
as
as
a
as
a
tool
like
it
does.
If
volt
goes
down,
it
should
not
affect
any
of
our
production
services
right.
B
D
I
think
I
have
an
existing
recipe
in
chef
to
install
vault
agent
and
to
get
it
writing
to
an
arbitrary
file
but
yeah.
I
remember
that
same
thing.
I
didn't
want
to
use
vault
agent
for
authentication,
but
using
it
to
do
its
templating
thing
like
the
console
templating,
where
you
just
say,
you
know
when
this
value
change
is
involved,
change
it
in
this
file
and
then
let
the
the
application
use
the
files
that
way
you
didn't
have
that
dependency.
That
vault
has
to
be
running
all
the
time.
B
B
C
C
Yeah
cool-
I
suggest
do
that
sooner
rather
than
later,
because
the
big
thing,
the
big
thing
that
jumps
out
at
me
and
once
again,
things
may
have
changed.
I'm
not
sure
is
the
difference
in
deployment
model
versus
when
we
were
looking
at
this
last
time.
So
last
time
we
did
an
isolated
gke
cluster
that
was
completely
internal
and
not
accessible
from
the
internet,
because
it
is
our
secrets.
C
B
C
B
C
B
C
Not
restricted
to
our
org,
isn't
it
because
I
just
tried
that
logging
in
with
my
personal
account
the
screen
came
up
or
unless
no,
it
must
be.
Okay,
I
must
be.
I
must
be
have
my
browser
configured
wrong,
that
that's
fine,
that's
perfect!
That's
what
I
always
just
wanted
to
check,
because
anything
we
exposed
to
the
internet.
Obviously
we
need.
Basically,
we
don't
just
want
to
trust
on
vault
itself,
not
having
like
permission.
You
know
like
a
security
bug
before
you
expose
it
to
the
internet.
C
B
C
C
D
C
Yeah,
so
I
think
it's
probably
fine,
because
the
gitlab
com,
terraform
repo
or
whatever,
it's
called
in
our
conflict-
management's,
not
public,
but
once
again
security
will.
Let
you
know
if
they
want
it
even
further
locked
down.
So
you
all,
I'm
saying,
is
you
may
end
up
having
to
pull
that
out
into
its
own
git
repo,
but
but
I'm
hoping
not
as
long
as
it's
not
public.
Oh
and
you
know
what
the
thing
with
security
is,
it
depends
who
you
get.
C
The
team
themselves
may
have
changed
their
mind
on
what
they
want
to
do
with
that.
So,
and
I
think
that
was
pretty
much
all
I
had.
Oh
so
yeah,
the
other
thing
so
the
external
secrets.
So
there's
two
interfaces
for
us
and
delivery,
and
probably
the
developer
users
eventually
are
going
to
be
using
right.
So
there's
I'm
going
to
try
and
push
them
for
kubernetes
just
using
the
external
secrets
controller,
because
it
is
a
simplistic
model
and
because
they
can
just
generate
their
own
manifests,
and
it
sounds
like
the
permissions.
C
We
can
handle
reliability,
side
and
there's
just
no
way
they
can
really
screw
it
up
or
make
ci
pipelines
fail.
I
I
don't
mind
you
know
if
people
want
to
use
the
helm
file
integration,
but
I
think
just
pushing
for
generic
secret
objects
and
external
secrets
will
just
be
less
much
less
painful
for
everyone.
The
other
big
one
is
going
to
be
secrets
and
get
lab
pipelines.
C
So
that's
where,
if,
if
fault
is
down,
the
ci
pipelines
won't
work
and
that
can
be
a
huge
risk
for
us
and
delivery,
especially
if
we're
close
to
the
22nd
of
the
month
and
like
it's
not
even
involved
being
down.
For
you
know
a
few
hours
or
a
day
can
cost
us
a
lot
of
time
when
we're
trying
to
meet
deadlines.
C
So
the
only
thing
I
wanted,
I
think,
it'd
be
good.
Some
point
in
the
project
is
to
consider,
I
know
you've
tested
backups.
Can
we
do
automatic,
backup
testing?
So,
like
you
know,
you
know
how
we
do
its
database.
We
have
a
ci
job
that,
like
spins
up
a
new
vault
cluster,
restores
the
backup
every
day.
So
it's
like
we're
all
constantly
testing
the
backups.
We
should
try
and
make
sure
we're
doing
that
with
the
open
source
version.
Do
we
get
streaming
replication?
C
A
C
Maybe
that
maybe
maybe
that
maybe
that's
not
a
bad
idea
or
the
other
thing
is,
it
would
be
great.
Maybe
this
is
too
hard
a
runbook
or
a
script
where
so
gitlab
ci's
integration,
it
just
populates
environment
variables
right
so
at
the
moment,
in
a
lot
of
the
important
pipelines
in
the
gitlab
application
right,
we
just
go
in
sorry.
C
It
would
be
good
to
have
an
emergency
run
book
and
or
tooling,
or
script
where
we
could
be
like,
gets
all
the
secrets
for
a
specific
ci
job
and
actually
uses
the
gitlab
api
to
manually
to
populate
them
back
in
as
get
lab
secrets.
So
it's
kind
of
like
turning
off
the
volt
integration
like
if
it
volts
down
or
it's
having
problems,
then
we
are
like.
We
need
to
run
pipelines
now
like
an
easy
run
book.
C
We
need
into
environment
variables
on
like
ops.getlab.net
and
the
gitlab
project
might
be
the
big
ones.
We
can
identify
a
list
and
be
like
we
can
just
get
them
running
manually
somehow
until
things
like
calm
down,
hopefully
we'll
never
need
it,
but
I
think
that
would
be
really
good
just
to
to
get
that
confidence
in
the
ci
cd
integration,
because
at
the
moment
you
know
it's
comes
from
the
like
ops.gitlab.net.
C
They
just
stored
it
on
ops.gitlab.net.
If
ops
is
running,
the
ci
power
lines
are
running,
it's
all
fine,
it's
a
closed
system.
So,
if
we're
introducing
an
external
dependency
just
once
again
having
a
run
book
or
a
process
where
we
can
kind
of
flick
it
back
just
temporarily,
if
needed,
would
be
good.
D
C
A
C
So
so,
when
we
were
looking
at
this
last
time,
we
talked
to
some
other
groups
that
were
using
bold,
especially
the
open
source
version.
They
had
a
bug
where
they
had
not
only
did
their
vols
instances
go
down
with
corruption,
but
their
backups
for
a
week
since
they
upgraded
vaults
were
also
corrupted.
C
So
I'm
not
I'm
not
trying
to
cover
every
scenario,
because
that
was
obviously
a
very
specific
and
rare
scenario,
but
I
think
once
again,
just
just
in
case
the
vault.
The
vault
ecosystem
has
something
wrong.
What
what
would
be
the
options
there
considering?
These
are
just
environment
variables.
We
can
populate
yeah.
C
I
do
think
just
like
trying
to
keep
like.
I
know
we
don't
get
streaming
replication,
but
even
just
like
up
to
like
a
a
you
know,
a
master
that
we
just
have
a
job.
That's
kind
of
manually
syncing
it
because
most
of
the
time
secrets
won't
change.
So
it's
not
a
big
deal.
It's
more
about
availability,
some
kind
of
hack.
We
can
do
to
try
and
keep
some
secondary
availability.
I
think,
could
be
nice
like
that,
might
be
good
enough.
C
You
could
consider
doing
something
like
an
export
to
plain
text
or
something,
and
then
gpg
encrypting
that
as
well
and
putting
it
in
a
gcs
bucket.
Maybe
that's
overkill.
I
don't
know
it's
just
it's
just
thinking
about
different
ways
to
really
build
that
confidence,
so
that
in
an
absolute
failure
you
know
in
the
failure
scenario
we
have
a
clear
understanding
of
how
we
need
to
get
those
things,
so
we
can
keep
moving.
C
I
think
that's
the
key
key
takeaway,
but
I
think
if
we
can
just
make
sure
we
keep
a
I'd,
be
just
fine
with
like
a
secondary
one
running
in
us
west,
maybe
and
then
yeah
like
once
an
hour
half
a
day.
We
just
like
snapshot,
restore-
and
you
know
obviously
paging
the
ocs.
If
that
doesn't
work,
and
things
like
that,
that's
probably
just
good
enough
and
then
making
sure,
and
even
in
delivery.
We
do.
C
C
Yeah,
that's
right
just
something
like
that.
I
think
really
just
to
make
the
confidence
so
that
those
you
know
we
don't
in
the
case
of
being
down
and
we
like,
we
actually
really
do
need
to
run
ci
pipelines.
It's
an
it's,
not
something
that
needs
discussion.
There's
just
a
rumble
like
this
is
exactly
what
you
need
to
do.
Boom
change
it
over
to
this
and
just
away
you
go
so
that
you
know
delivery
and
everyone
else
can
just
easily
follow
that.
I
think
that's
the
key
yeah.
B
C
I
think
the
thing
is
probably
what
needs
to
be
done
as
well,
and
this
isn't
really
reliability's
job
is
probably
an
audit
needs
to
be
done
on
some
of
them.
I
I'm
not
sure
if
we
need
all
of
them,
there's
probably
a
lot
that,
because,
because
the
ones
we
add
into
the
ui
we
they're
not
in
git,
we
have
no
git
history.
We
don't
know
who
added
them
when
or
whatever.
C
So
I
at
the
risk
of
making
this
project
take
longer,
but
at
some
point
someone's
probably
going
to
need
to
when
we
move
them,
probably
audit
them,
it
could
be
good
to
get
security
involved.
They've
got
infrastructure,
security
now
and
like
say,
hey,
look
we're
moving
all
these
over
and
get
them
to
like
document
where
they
are,
where
they're
coming
from
who's
using
them
and
stuff
like
that,
like
it
could
be
some
joint
work,
you
could
do
there,
but
yeah
that
makes
sense.