►
Description
doc - https://docs.google.com/document/d/1jh_hRvhaYBx9ENPmmnZ4e34QOc9-3oHKvA5aog22aio (internal)
issue - https://gitlab.com/gitlab-com/gl-infra/reliability/-/issues/15447
A
B
I
guess
it
just
does
then
I'll
go
over
the
agenda,
I'm
not
sure
if
any
manager
is
joining,
but
there
is
an
ask
from
steve
to
for
people
to
give
examples
of
our
storms,
which
are
being
paged
in
a
lot
of
times
for
for
the
same
problem,
he's
trying
to
look
into
ways
to
reduce
the
amount
of
of
alerts
when
something
goes
wrong
and
there
is,
there
is
some
cool
diagrams
and
so
in
an
info
in
the
in
the
issue
that
is
worth
looking
at.
B
B
B
B
Vault
is
currently
deployed
in
the
free
environment,
and
this
is
the
external
url
that
you
can
use
to
access
today,
well,
not
to
log
in
yet,
because
we
are
still
waiting
on
it
to
get
some
permissions
on
to
access
google
groups
so
that
we
can
integrate
policies
for
everyone,
and
this
is
the
internal
url,
where
we'll
be
connecting
to
over
most
services,
I'm
going
over
the
cluster
setup
quickly.
B
B
There
is
five
pods
deployed
in
the
in
the
stateful
set,
it
does
use
multi-zone,
so
there
is
two
posts
per
zone,
the
preference
and
they
can
shift
depending
on.
If
there
is
a
zonal
failure
or
not,
the
disks
are
original,
so
we
don't
specifically
are
bound
to
a
zone
because
of
the
data.
B
C
I
think
that's
okay,
because
I'm
pretty
sure
from
what
I've
seen
it
looks
pretty
standard
nothing.
Okay,.
B
Yeah,
just
just
quick
highlight
household
it
does
use
the
official
helm
chart
from
ashikorp
for
high
availability.
We
have
a
stateful
set
with
five
pods.
It
runs
two
per
zone
by
default.
Well,
except.
A
B
Zone
is
always
getting
one,
and
this
is
for
current
reasons
based
on
our
raft
calculates
the
leader
we
use
original
disks,
so
we
are
not
bound
to
a
zone
for
storage
and,
as
I
said
before,
it
uses
route
for
storage
and
chrome,
so
everything
is
built
in
into
one.
B
We
have
snapshots
backups
that
we
push
to
a
bucket
in
gcs
and
we've
tested
the
recovery
from
it
and
all
works
well
in
terms
of
security,
it
does
use
kms
from
gcp
for
auto
as
unsealing.
B
So
this
means
that
even
if
we
have
data
that
is
stored
in
disk
exposed
somewhere
publicly,
it
doesn't
matter
because
data
is
always
encrypted
in
in
a
in
a
like
a
combined
way.
We
need
kms
from
gcp
and
plus
other
tokens
to
actually
unseal
the
data
so
that
we
can
access
it,
and
there
is
some
details
in
this
link
here
and
now
you
can
see
how
shamir
keys
works.
B
We
don't
have
a
root
token,
so
it's
not
possible
to
have
like
an
admin
token
for
everything
we
remove
it.
After
bootstrapping,
we
do
have
recovery
keys
that
are
stored
in
one
password
that
we
can
use
to
recover
from
snapshots.
In
case
there
is
a
full
region
outage.
We
can
easily
take
data
from
gcs
and
bootstrap
the
service
somewhere
else,
but.
A
The
lack
of
ik
is
mostly
becoming
is
just
to
get
all
token
again
like
if
we
yeah.
This
is
the
scenario
you
use
the
kiloway
key
to
get
a
wood
token
and
you
can
use
the
token
to
there
is
no
snapshot
if
you
want
yeah,
but
the
restoring
from
squash
is
just
initialize
again,
and
so
you
get
a
new
token
from
that.
And
then
you
first
restore
the
subject
toy
store,
which
will
yeah
put
your
data
back,
and
you
are
good
to
go.
B
Yeah
thanks,
so
the
general
way
the
cluster
is
set
up
is
is
deployed
by
helm
in
in
kubernetes,
but
all
the
configuration
comes
from
terraform
so
run
everything
from
roles,
policies
and
everything
is
in
is
in
an
environment
in
config
management,
and
there
is
a
link
for
the
the
folder
in
terms
of
secret
structure.
We
only
have
key
value
back
ends
for
now
to
mimic
what
we
currently
have
with
gkms
and
and
other
stuff
that
we
are
using
in
different
tools.
B
B
C
Just
just
quickly
on
this,
like
often
we
have
the
same
secret
like
to
me,
I'm
not
sure
I
I
I'm
not
sure
I'm
assuming
this
is
done
like
this.
As
you
said,
more
about
role-based
access
permissions
but
like
are
we
gonna
have
this
situation
where
you
have
two
secrets
that
are
the
same
thing,
but
have
to
go
in
different
parts
like
to
me.
That
seems
more
complicated.
If
you
know
what
I
mean
is
this
the
only
way
we
can
kind
of
yeah,
okay.
A
C
This
is
not.
This
can
be
changed
obviously,
and
we
can
figure
it
out
all
I'm
thinking
about.
Is
we
don't
want
a
situation
where
it's
like?
Oh
here's
a
password
or
we
want
to
try
and
avoid
a
situation
where
it's
like
here's
a
password.
You
actually
have
to
update
it
three
times
in
vault,
because
different
things
are
using
what
is
the
same
password
so
but
yeah.
I
appreciate
that,
like
name
spacing
at
that
way
means
you
can
say
this
ci
job
can
access
that
or
this
kubernetes
cluster.
C
So
I
don't
know
play
around
with
that
think
about
how
you
can
kind
of
if
you
can
get
it
to
the
point
where,
even
if
it's
just
like
here
is
the
secrets,
like
a
production,
here's
the
secret,
but
we
can
like.
I
don't
know
if
we
can
do
roles
so
that
we
can
have
ci
and
jobs
and
communities
classes
accessing
the
one
secret,
because
I
think
a
big
thing
here
is
obviously
for
the
whole
point.
Part
of
the
big
work
on
this
project
is
a
single
source
for
secrets
right.
C
So
we
we
want
to
try
and
push
that
as
much
as
possible,
where
we
can,
with
the
the
opportunities
are
made
available
to
us.
It
could
also
be,
I
think
I
think
you
probably
need
to
like.
We
need
to
document
and
investigate
the
the
variables
we
use
in
general,
like
there
are
some
that
are
just
used
for
ci,
and
there
are
some
that
I
use
see
it's
tricky
because
it's
almost
like
you
want
to
define
sorry.
B
I
do
have
shared
folders
in
these
that
they
can
be
accessed
sure
like,
for
example,
the
ripple
level
can
access
a
shared
folder
that
all
environments
can
access
and
stuff
like
that,
and
it's
easy
to
manipulate
this
in
any
way
that
we
want
yeah.
B
Okay,
cool
just
we,
we
didn't
want
to
go
full
on
into
trying
to
solve
all
the
problems
that
we
have
in
trying
to
scope,
specific
secrets
for
now
and
then
just
like
to
try
to
mirror
what's
already
in
place,
so
that
we
also
don't
put
any
limitations
on
integration
and
and
stuff,
like
that
sure
yeah
for
kubernetes,
same
thing,
cluster,
namespace,
app
and
the
app
will
be
bound
to
a
service
account
and
that
service
account
then,
is
bound
to
a
role
and
that
role
can
only
access
this
path.
B
B
At
the
moment
we
are
leveraging
google
for
integration
with
gcp.
It
is
oidc,
but
it
also
uses
jwt
depending
on
on
what
kind
of
things
you
are
doing.
B
Kubernetes
and
we
have
authentication
with
the
cluster
based
on
on
service
accounts
and
native
kubernetes
authentication
and
with
gitlab
using
jwt,
and
this
is
how
we
integrate
with
ci
drums
and
and
then
app
role,
which
is
kind
of
like
token
based,
and
we
only
use
it
for
provisioning.
At
the
moment.
We
don't
use
it
for
anything
else
and
next
I'll
go
over.
Some
examples.
Merge
requests
where,
for
example,
this
is
not
a
merge
request,
but
this
is
how
it
generally
works
in
ci
with
the
native
integration
using
the
secret
feature.
B
So
basically,
you
just
provide
the
variable
and
then
you
specify
which
path
involved
volt
it
uses
and
which
field
to
grab,
and
this
will
basically
inject
the
secret
in
a
ci
variable
like
if
you're
using
the
variables
in
in
the
ci
job-
and
this
is
pretty
straightforward
and
is
like
the
simplest
one-
and
this
currently
works
for
github.com
and
and
ops-
that
we
have
integrated
with
vault
and
now
I'll
go
in
a
bit
over
how
it
works,
but
not
in
too
much
detail
an
exterior
form
on
all
of
these
methods.
B
They
will
use,
for
example,
for
ci
to
use
the
gitlab
authentication
backend
then
for
terraform.
It
will
also
use
it
just.
It
depends
on
the
way
that
we
are
authenticating
it.
If
we
go
here
quickly
to
the
providers.
B
B
Go
over
it's
going
to
be
hard
to
explain
here.
C
And
then
in
terraform
they
just
become
sorry
local
variables
or
yeah
or
or
from
the
like.
They're
like
the
vault.
Is
a
provider
right
like
and
then
we
just
reference
the
provider
and.
B
The
variables
here
yeah,
so
this
is
templated
with
the
with
the
json
added
with
stuff
that
we
have,
and
here
we
will
just
be
like,
for
example,
the
author
will
be
named
after
the
repo
and
then
just
read
only
read
write
token
and
so
on,
and
this
is
the
ci
jwt
token.
So
we
are
using
the
the
native
gitlab
ci
token
dot
indicate
with
volt
and
just
to
show
how
it
looks
on
the
other
side,
environment,
vault,
roll
skate,
lab.
B
This
is
how
vault
gets
the
role
to
to
the
job
or
not,
based
on
bound
claims.
So
here
we
have
a
project
id
which
we
configured
before
and
we
there's
a
bunch
of
other
parameters
that
we
can
set
on.
B
For
example,
we
only
allow
it
to
assume
this
role
if
it's
it's
coming
from
this
project
id
and
if
the
reference
is
protected
in
this
case,
if
it's
running
in
in
the
master
branch
or
main
branch,
and
then
we
give-
and
we
give
it
these
policies
and
the
policies
is
what
is
currently
scoping,
what
kind
of
path
it
can
access
in
the
key
value
back
end.
B
B
B
And
once
the
provider
is
authenticated,
then
we
can
just
grab
secrets
from
there.
In
this
case
we
are
grabbing
secrets
to
configure
vault
itself,
so
volt
uses
vault
to
configure
itself.
B
And
then
moving
on
to
helm
or
tanka
anything
kubernetes.
This
is
a
bit
generic
in
the
way
that
it
works
for
anything
here,
we're
just
explaining
how
it
would
work
for
helm
or
tanka
we're
just
installing
volts
and
then
just
generating
the
token.
B
In
the
same
way,
the
terraform
was
updating
obtaining
its
credentials,
which
is
using
the
the
vault
authentication
path
is
going
to
use,
which
is
the
gitlab
authentication
backhand,
which
role
and
then
the
the
ci
job,
and
this
allows
us
then
to
execute
anything
with
with
volts
that
that
role
allows
and
for
helm
files.
Here
we
are
using
the
native
integration,
which
is
just
a
reference
vault
and
then
the
path
of
the
secret.
B
So,
instead
of
g-code,
now
these
helm
files
library
will
execute
vault
api
calls
and
get
secrets
for
us
automatically.
A
One
thing
about
this:
one:
is:
it's
not
documented
in
the
hand,
file
documentation.
I
had
to
find
that
in
the
request
and
it's
it's
been
implemented
since
2019,
it's
never
under
documentation.
So
I
don't
know
if
it's
stained
or
not.
C
No
it's
it
is,
it
is
stain.
I
I
did
look
at
this
back
in
the
day
and
you're
right,
it's
poorly
documented
it
wraps
around.
So
this
is
functionality
in
helm
file
not
in
helm,
so
helm
file
is
pulling
the
secret
and
passing
it
as
a
plain
text
value
to
helm
itself.
It
uses
sops
mozilla's
sops
project,
which
is
the
format
you've
got
to
follow.
So
if,
if
people
are
looking
for
how
the
format
works,
you
go
to
the
mozilla
stops,
project
is
usually
the
best
but
yeah
it
it
it's.
C
It
has
had
work
to
it
done
to
it,
like
they've
expanded
the
secrets
back
in,
so
I
don't
think
it's
going
away,
but
yeah.
I
agree.
I
don't
know
why
it's
the
documentation
for
helm
file
in
general
actually
is
quite
poor,
though
I
think
they're
going
to
fix
it
up
now
that
they've
moved
the
project
into
a
standard,
its
own
github
organization.
A
B
It
completely
removes
secret
handling
from
ci,
and
in
this
case
we
are
using
external
secrets,
which
is
a
kubernetes
operator
that
basically
has
a
bunch
of
crts
custom
resources
in
terraform
in
kubernetes,
where
it
directly
connects
to
volt
and
and
injects
the
secrets
in
kubernetes
directly
for
us.
So
in
this
method,
we
no
longer
need
ci
to
handle
secrets,
and
there
is
a
many
different
ways
of
us
connecting
to
vote
grabbing
the
cigarettes,
and
this
is
what
makes
it
a
good
fit,
because
it's
very
flexible
on
how
we
can
connect
to
it.
B
And
now
we
can
manipulate
the
secrets
and
so
on.
In
this
case,
for
tank,
we
just
added.
B
We
are
generating
a
secret
store,
which
is
basically
telling
external
secrets,
which
provider
to
look
for
secrets,
and
in
this
case
it's
volt.
We
are
giving
it
defaults
address,
which
path
is
going
to
use,
which
version
of
key
value
back
end.
It
uses.
You
know
if
you
want,
v1
doesn't
have
versioning
and
we
true
as
versioning.
B
That's
basically
the
only
difference,
and
then
we
just
tell
it
how
to
authenticate,
and
we
will
be
using
its
native
service
account
for
for
the
namespace
with
kubernetes,
where
it's
going
to
authenticate
and
the
role
and
the
service
account
it
uses
and
for
external
secrets.
This
is
what
actually
tells
external
secrets
provider
where
to
look
for
things.
So,
basically
we
are
telling
you
to
use
that
secret
store.
B
C
B
Depends:
okay,
how
we
want
to
scope
it,
so
we
can
use
a
cluster
one
and
everybody
has
access
to
those
secrets
right,
but
we
don't
want
certain
applications
to
have
access
to
potential.
We
have
access
to
other
secrets
of
other
applications,
so
here
we
are
creating
one
per
application.
I.
C
C
B
The
way
that
you
then
use
secrets,
you
just
create
the
external
secret.
C
Yeah,
well,
that's
what
I'm
I'm
trying
to
understand.
Can
we
move
the
secret
store
objects
into
like
the
helm
file
for
vault?
So
when
you
deploy
volt,
oh
wait.
No,
that's
not
gonna
work.
How
are
you
doing
it
at
the
moment
in
say,
staging
where
you've
got
like
four
kubernetes
clusters
to
all
of
the
clusters.
B
So
when,
when
you
deploy
the
external
secrets
operator,
it
does
deploy
the
volt
connection
and
sets
everything
so,
okay,
everything
is
in
place.
That's
the
only
thing
that
you
need
to
deploy
in
the
question
right.
C
So
sorry,
so
external
secrets
will
be
in
all
four
clusters
and
that's
deployed
with
a
gke
service
account
which
we
then,
which
will
be
the
actual
process,
that's
authenticating
to
vault,
and
so
then
do
we
need.
We
still
need
a
secret.
At
least
one
secret
store,
crd
in
every
cluster
right,
yeah.
C
Okay,
so
what
I'm
trying
to
so
what
I'm
trying
to
split
here
is
developers,
so
our
long-term
goal
and
delivery
for
this
year
is
to
get
developers
owning
deployments.
You
know,
like
that's
one
of
the
things
we're
moving
for
so
probably
what
we
want
is
we
don't
want.
C
We
don't
want
correct
me.
If
I'm
wrong,
we
probably
don't
want
secret
store
objects
to
live
along
alongside
the
apps
like
here's
their
deployment,
here's
their
service,
we
don't
want
them
specifying
their
own
secret
store
right,
because
it
sounds
like
no
matter
what
they
say
that
they
can
just
say.
Here's
just
I'm
going
to
define
a
secret
store
that
gives
me
access
to
everything
right.
Well,
you
still
not
going
to
work.
C
C
It's
like
you.
A
A
B
C
C
Okay,
that
that
is
the
part
I'm
missing,
in
which
case
then
that's
fine,
like
I'm
just
trying
to
understand.
How
do
we
say
this
app
has
access
to
these
secrets,
like
we
define
that
somewhere
versus
a
developer,
just
being
able
to
define
what
whatever
they
want
kind
of
thing?
Is
there
a
split
there?
We
can.
B
Yeah
with
with
the
roles
that
that's
where
we
define
what
has
access
to
what
right,
and
here
we
said,
we
said
the
rules
can't.
C
Yeah,
okay,
okay!
So
basically
we're
saying
that
service
account
for
gitlab
web
can
access
these
secrets.
But
the
actual
configuration
of
the
secret
store
object
has
no
real,
like
that's
just
telling
you
where
to
find
the
secrets
and
who
define
it
as,
but
it's
not
actually
controlling
permissions
of
that
yeah.
B
C
Think
that
makes
sense
yeah,
okay,
so
yeah,
I
think
the
difference
is,
and
maybe
this
was
when
I
looked
at
external
secrets-
and
this
was
years
ago
back
when
I
was
it
was
still
under
godaddy
before
it
was
its
own
project
it.
The
model
was
I'm
not
even
sure
if
there
was
a
secret
store
cid,
it
was
the
external
secrets.
Controller
runs
as
a
service
account,
and
you
know
it
just
had
access
to
kind
of
like
whatever
you
wanted.
C
So
it
was
like
you
had
to
be
careful
of
what
people
were
setting
up
as
secrets
if
it
makes
sense,
but
it
sounds
like
they
may
have
fixed
that
or
maybe
not
fixed
that
but
re-architected
it
so
that
it
now
the
controller
is
still
making
requests
on
behalf
as
the
actual
user
that
we
expect
them
to.
So
there's
no
way
for
a
user
to
create
crd
objects
to
grain,
access
to
something
they're
not
allowed
to
access.
B
B
Yeah
yeah,
I
think,
it'll,
be
easier
if
I
show
it
here
so,
for
example,
we
have
this
one.
B
So
this
is
creating
a
secret
store,
an
external
secret
in
the
vault
namespace,
and
we
can
see
here
that
it
has
been
created
and
if
we
go
to
the
secret
store,
we
can
see
it
here,
and
this
is
all
in
the
vault
namespace
right
yep.
B
And
if
we
look
at
the
definition
we
can
see
so
it's
called
volt
volt
and
it's
bound
to
the
kubernetes
authentication
method.
Yeah.
B
In
this
path
and
yeah-
and
this
is
basically
whatever
prefix-
we
give
it-
we
called
it
kubernetes.
This
is
the
cluster
name
role,
it's
going
to
try
to
use,
and
if
we
go
back.
C
Yeah
so
that
so
yeah,
so
I'm
pretty
familiar
with
this
so
yeah.
So
it's
saying
that
so
that's
on
the
secret
store
object
right,
so
you're
saying
is
the
secret
store.
This
is
the
secret
store
log
me
the
service
account
in
this
kubernetes
cluster
myself.
My
web
app
service
account
log
me
into
volts
at
this
authentication
path,
and
then
you
have
to
specify
the
role
that
you're
trying
to
log
in
as
and
then
it'll
give
you
excess
or
deny
based
off.
You
know
if
you
actually
have
access
to
that
role.
B
Yeah
and
the
name
space,
and
we
can
give
extra
policies
or
not
here
we
are,
we
are
not,
and
then
we
just
specify
which
service
account
is
going
to
use.
We
are
using
the
pre-created
one.
We
could
also
create
a
separate
one.
C
B
Yeah
in
terms
of
secret
store,
maybe
per
app,
doesn't
make
sense
everywhere
right,
so
we
can
also
make
it
burning.
Yeah.
C
B
C
Sure,
no,
I
I
said
I
was
confused.
I
what
I
thought
a
secret
store
object
was
was
just
basically
defining
if
the
whole
cluster
could
kind
of
access
secrets.
Now
I
can
understand
its
request
based
off
the
service
account
itself,
then
that
that
makes
more
sense.
I
think
I
think
for
apps.
This
is
how
I
see
it,
and
it
said
this
is
this
is
my
opinion
and
you
know
I'm
happy
to
change
it
for
so
there's
two
kind
of
layers
right
for
the
apps
upwards,
so
you
can
consider
the
gitlab
web
app.
C
You
can
consider
like
design.gitlab.com
all
of
the
bits
and
pieces.
I
think
we
probably
want
a
secret
store
per
app
because
their
developer
groups
are
going
to
be
they're
different
people
and
what
they
have
access
to
is
different
below
that.
So,
like
console
elasticsearch
fluentd,
all
those
you
could
do
one
per
app
as
well
or
you
could
just
have
like
a
global
infrastructure
one.
If
you
really
want.
Let's
get
it's
up
to
to
you
guys,
I
could
see
it
just
to
try
and
reduce
complexity.
B
Yeah,
it
really
tie
into
how
we
want
to
structure
it
in
terms
of
like.
A
B
Duplicate
secrets
so
that
we
don't
have
to
update
him
in
multiple
places
and
so
on,
because
we
can
make
it
as
simple
as
we
want
or
as
complicated
as
we
yeah,
because
it's
it's
really
flexible
with
with
the
policies-
and
this
is
the
external
secret
that
it's
creating
so
he's
just
pointing
to
the
secret
store,
store.
Yeah.
C
That
makes
sense
yeah
yeah.
We
will
do
this
yeah.
We
will
do
this
for
git
labcom.
So
what
I,
what
I'll
probably
do
is
when,
obviously,
when
this
is
all
ready
to
roll,
we
will
just
use
we
in
our
helm
release
well
we're
we're
changing
the
gitlab
com
repo
over
the
coming
months,
but
we
will
essentially
just
create
pure
secret
objects
and
sorry
pure
external
secret
objects,
and
just
rely
on
the
controller
to
sync
that
across
and
we
won't
because
we
can't
we
don't
want.
I
mean
we
can
all
agree.
C
B
C
Also
permissions
right
because,
like
we
want
like
for
us
now,
it's
for
everyone
on
this
call
who's
sres,
like
we
get
permissions
to
do
whatever
we
want
doesn't
matter,
but
you
know
we're
trying
to
move
any
actual.
Gitlab
developers
want
to
be
able
to
work
in
the
repos
a
lot
more
and
work
in
ci
pipelines
and
actually
see
the
ci
pipelines,
which
means
we
have
to
get
all
the
permissions
from
the
security
out
of
them.
B
I
was
gonna
get
to
that,
and
this
is
what
is
so
great
about
it.
Like
we
don't
care,
it
can
be
down
the
only
blocker
like
you.
You
can
see
a
vault
being
down
as
the
same
as
like
ci
being
down,
because
if
volt
is
down,
then
ci
probably
can't
grab
the
secrets
right,
but
in
this
case
we
don't
really
care
because
the
operator
syncs
the
secrets
from
volt
to
native
kubernetes
secrets.
B
So
if
vault
is
down,
not
nothing
happens
right
just
you
won't
be
able
to
update
secrets,
but
you
can
always
go
and
change
them
directly
in
kubernetes
until
you
fix
vault
or
anything
like
same
as
before,
right
like
if
jkms
is
down.
What
can
you
do
because
we
are
leveraging
native
kubernetes
secrets,
so
this
is
just
a
way
to
bring
them
from
vault
and
apply
them
in
kubernetes.
C
B
All
right
so
I'll
I'll
just
quickly
demo
like,
for
example,
here
we
have
a
my
key
with
value
test2,
but
if
we
go
to
version
one,
we
can
see
it
just
tests.
So
if,
if
we
go
to
the
external
secret,
I
just
reduced
the
refresh
interval,
but
it
doesn't
really
matter.
This
can
be
useful
in
cases
where
we
want
to
pull
stuff
dynamically
from
vault
and
update
it.
Whatever
time
we
can
just
also
just
disable
it,
and
it
will
only
update
when
we
change
the
spec
of
the
of
the
secret.
B
B
And
we
go
to
secret
and
we
will
see
the
reference
that
we
added
there.
Vault
example
secret,
so
this
was
created
by
the
operator
and
we
can
see
there
is
my
key
with
four
bytes
and
there
it
is
our
secret,
and
if
we
go
back
external
secret,
we
can
update
it
again
to
version
two.
B
C
Can
we
actually
enforce
that
you
can't
update
a
new
secret
name
and
get
you
a
new
secret
version,
so
at
least
for
us,
we
would
really
like
to
to
basically
force
that
you
have
to
create
a
new
secret
object
with
the
new
secret
version,
with
a
secret
name
like
we
do
now,
simply
because,
like
in
the
case
of
the
gitlab
chop,
at
least,
if
you
change
the
secret
out,
underneath
it
pods
aren't
reloaded
and
everything,
and
it's
like
we.
We
like
the
more
deliberate
workflow
where
you
have
to
do
a
merge
request,
saying
gitlab
pods.
C
C
C
C
C
B
C
You
know
what
that's
fine.
We
can
do
that
we're
going
to
start
doing
static
analysis
tests
on
manifest
anyway.
So
that's
something
we
can
pick
up
in
there
and
then
we
could
just
be
like
we.
We
would
you
know
we
can
fail
the
test
saying
we
don't
want
you
to
do
this.
If
that's
because.
C
Yeah,
I
think
I
think
what
we
want
to
do
is
just
like
static
analysis
at
ci
time
right.
So
that
way
you
can
give
feedback
to
the
user.
This
has
failed,
and
this
is
why,
or
you
know,
define
a
library
even
if
it's
running
up
or
underneath
or
something
like
I
just
you
know,
on
the
stand
alone,
to
validate
that.
That
makes
sense.
B
Yeah,
I
haven't
looked
in
detail
what
it
can
do
in
that
aspect,
but
there
is
policies
at
the
operator
level.
Maybe
it
can
do
that,
but
yeah,
certainly
something
that
we
can
check
and
just
to
wrap
up
in
other
use
cases,
for
example,
what
we
will
do
for
shelf.
B
There
is
an
official
vault,
ruby
library,
so
we
can
do
the
same
thing
as
we
currently
do
with
kms,
where
we
just
source
the
secrets
from
an
external
library
same
thing
for
ansible
there
is
a
community
module
where
we
can
use
the
same
kind
of
authentication
methods
we
use
here
like
native
gcp
and
so
on,
so
that
we
don't
have
to
rely
on
static
service
account
keys
like,
for
example,
this
will
rely
on
im
so
that
we
don't
have
to
have
manual
tokens.
Well,
we
don't
want
to
have
secrets
to
access
secrets.
C
The
have
you
guys
looked
at
what
devin
did
like
devin.
You
could
almost
got
the
whole
way
with
the
chef
vault
stuff.
Didn't
you.
D
C
D
The
code's
still
there
and
I
don't
remember
exactly
where
it
is-
it's
been
a
while,
but
it
yeah
it's
all-
still
still
uploaded.
B
Yeah
thanks
yeah,
we
haven't
looked
much
in
detail
into
chef
or
nco,
yet
just
because
we
know
that
it's
possible
to
do,
and
there
is
many
ways
to
do
it.
But
probably
the
least
resistance
would
just
be
to
do
what
we
currently
do
with
jkms.
Just
using
an
external
library
or
something
like
that.
B
And
then
for
last
group
policy
so
that
we
can
give
people
access
it's
in
progress,
we're
waiting
for
it
in
an
access
request
to
give
us
some
credentials
so
that
we
can
authenticate
with
g
suite
to
get
access
to
group
membership.
B
D
One
of
the
things
that
I
I
found
when
I
was
looking
at
the
the
chef
stuff
is
that
there
are
cases
where
we
don't
want
to
wait
for
the
next
chef
run
to
update
secrets
consoles
and
databases
and
stuff
like
that,
were
the
main
ones.
But
I
think
there
were
some
others.
D
B
Yeah
definitely
possible.
It's
also
nice,
because
the
volt
agent
actually
caches
certain
things.
So
even
default
is
down
it's
it's
still.
There
is
still
some
caching
there
well.
D
B
Yeah,
like
we
are
trying
to
deliberately
not
use
it
as
I'd
say,
a
dependency
of
runtime
like
that's.
Why
we
have
this
approach
with
external
secrets
where,
because
you
can
use
volt
agent
also
in
kubernetes
and
the
application
will
read
directly
from
the
vault
agent,
but
we
don't
have,
we
don't
want
to
have
a
hard
dependency
on
vault
as
as
a
as
a
tool
like
it
does.
If
volt
goes
down,
it
should
not
affect
any
of
our
production
services
right.
B
We
yeah,
we
haven't
looked
into
using
the
agent
for
chef
or
or
anything
vms,
yet,
but
yeah
it'll
be
nice
to
have.
But
for
now
we
are
just
looking
at.
I
pretty
much.
D
I
think
I
have
an
existing
recipe
in
chef
to
install
vault
agent
and
to
get
it
writing
to
an
arbitrary
file
but
yeah.
I
remember
that
same
thing.
I
didn't
want
to
use
vault
agent
for
authentication,
but
using
it
to
do
its
templating
thing
like
the
console
templating,
where
you
just
say,
you
know
when
this
value
change
is
involved,
change
it
in
this
file
and
then
let
the
the
application
use
the
files
that
way
you
didn't
have
that
dependency.
That
vault
has
to
be
running
all
the
time.
B
Yeah
yeah,
it
does
yeah
integrates
with
console
also,
so
we
can
use
both
yeah.
Definitely
lots
lots
of
possibilities,
yeah
we're
just
trying
at
the
moment,
just
the
basics,
so
that
we
can
at
least
start
using
a
single
source
of
truth
for
the
secret.
B
Yep-
and
that
was
all
that
I
had
to
show
there-
is
lots
more
things
that
I
didn't
get
into,
because
it
will
get
too
long,
but
from
the
document
links
that
is
links
to
source
code
and
more
documentation
and
so
on.
If
you're
interested
in
exporting.
C
C
Yeah
cool-
I
suggest
do
that
sooner
rather
than
later,
because
the
big
thing,
the
big
thing
that
jumps
out
at
me
and
once
again,
things
may
have
changed.
I'm
not
sure
is
the
difference
in
deployment
model
versus
when
we
were
looking
at
this
last
time.
So
last
time
we
did
an
isolated
gke
cluster
that
was
completely
internal
and
not
accessible
from
the
internet,
because
it
is
our
secrets.
C
Looking
now
like
valtteri.lab.net,
what
are
you
using
for
ingress
or
like
what
is
confronting
that
to
the
internet?
Is
it
just
an
external
load,
balancer
or.
B
Both
the
external
one
uses
gcp
with
iap
at
the
end
of
the
deal
where
proxy
stuff,
so
that
we
can
access
the
webpage
ui
outside
of
the
internal
network
right
okay,
so
that
one
doesn't
work
for
anything
cli
or
api
directly.
So
we
have
the
internal
endpoint,
which
is
just
as
a
service.
C
B
C
Balance
type
internal
yeah,
okay,
cool
that
so
hang
on.
So
if
I
go
to
vault.pre.gitlab.net,
is
that
through
iip.
B
C
Not
restricted
to
our
org,
isn't
it
because
I
just
tried
that
logging
in
with
my
personal
account
the
screen
came
up
or
unless
no,
it
must
be.
Okay,
I
must
be.
I
must
be
have
my
browser
configured
wrong,
that
that's
fine,
that's
perfect!
That's
what
I
always
just
wanted
to
check,
because
anything
we
exposed
to
the
internet.
Obviously
we
need.
Basically,
we
don't
just
want
to
trust
on
vault
itself,
not
having
like
permission.
You
know
like
a
security
bug
before
you
expose
it
to
the
internet.
C
Ip's
perfect,
the
so
so
that
means
we're
planning
on
running
a
vault
cluster
per
environment.
So
one
and
pre
one
in
staging
one
in
production
instead
of
like
an
isolated
one
with
name
spaces
or
we.
B
C
C
D
C
Yeah,
so
I
think
it's
probably
fine,
because
the
gitlab
com,
terraform
repo
or
whatever,
it's
called
in
our
conflict-
management's,
not
public,
but
once
again
security
will.
Let
you
know
if
they
want
it
even
further
locked
down.
So
you
all,
I'm
saying,
is
you
may
end
up
having
to
pull
that
out
into
its
own
git
repo,
but
but
I'm
hoping
not
as
long
as
it's
not
public.
Oh
and
you
know
what
the
thing
with
security
is,
it
depends
who
you
get.
C
The
team
themselves
may
have
changed
their
mind
on
what
they
want
to
do
with
that.
So,
and
I
think
that
was
pretty
much
all
I
had.
Oh
so
yeah,
the
other
thing
so
the
external
secrets.
So
there's
two
interfaces
for
us
and
delivery,
and
probably
the
developer
users
eventually
are
going
to
be
using
right.
So
there's
I'm
going
to
try
and
push
them
for
kubernetes
just
using
the
external
secrets
controller,
because
it
is
a
simplistic
model
and
because
they
can
just
generate
their
own
manifests,
and
it
sounds
like
the
permissions.
C
We
can
handle
reliability,
side
and
there's
just
no
way
they
can
really
screw
it
up
or
make
ci
pipelines
fail.
I
I
don't
mind
you
know
if
people
want
to
use
the
helm
file
integration,
but
I
think
just
pushing
for
generic
secret
objects
and
external
secrets
will
just
be
less
much
less
painful
for
everyone.
The
other
big
one
is
going
to
be
secrets
and
get
lab
pipelines.
C
So
that's
where,
if,
if
fault
is
down,
the
ci
pipelines
won't
work
and
that
can
be
a
huge
risk
for
us
and
delivery,
especially
if
we're
close
to
the
22nd
of
the
month
and
like
it's
not
even
involved
being
down.
For
you
know
a
few
hours
or
a
day
can
cost
us
a
lot
of
time
when
we're
trying
to
meet
deadlines.
C
So
the
only
thing
I
wanted,
I
think,
it'd
be
good.
Some
point
in
the
project
is
to
consider,
I
know
you've
tested
backups.
Can
we
do
automatic,
backup
testing?
So,
like
you
know,
you
know
how
we
do
its
database.
We
have
a
ci
job
that,
like
spins
up
a
new
vault
cluster,
restores
the
backup
every
day.
So
it's
like
we're
all
constantly
testing
the
backups.
We
should
try
and
make
sure
we're
doing
that
with
the
open
source
version.
Do
we
get
streaming
replication?
C
A
C
Maybe
that
maybe
maybe
that
maybe
that's
not
a
bad
idea
or
the
other
thing
is,
it
would
be
great.
Maybe
this
is
too
hard
a
runbook
or
a
script
where
so
gitlab
ci's
integration,
it
just
populates
environment
variables
right
so
at
the
moment,
in
a
lot
of
the
important
pipelines
in
the
gitlab
application
right,
we
just
go
in
sorry.
C
It
would
be
good
to
have
an
emergency
run
book
and
or
tooling,
or
script
where
we
could
be
like,
gets
all
the
secrets
for
a
specific
ci
job
and
actually
uses
the
gitlab
api
to
manually
to
populate
them
back
in
as
get
lab
secrets.
So
it's
kind
of
like
turning
off
the
volt
integration
like
if
it
volts
down
or
it's
having
problems,
then
we
are
like.
We
need
to
run
pipelines
now
like
an
easy
run
book.
C
We
need
into
environment
variables
on
like
ops.getlab.net
and
the
gitlab
project
might
be
the
big
ones.
We
can
identify
a
list
and
be
like
we
can
just
get
them
running
manually
somehow
until
things
like
calm
down,
hopefully
we'll
never
need
it,
but
I
think
that
would
be
really
good
just
to
to
get
that
confidence
in
the
ci
cd
integration,
because
at
the
moment
you
know
it's
comes
from
the
like
ops.gitlab.net.
C
They
just
stored
it
on
ops.gitlab.net.
If
ops
is
running,
the
ci
power
lines
are
running,
it's
all
fine,
it's
a
closed
system.
So,
if
we're
introducing
an
external
dependency
just
once
again
having
a
run
book
or
a
process
where
we
can
kind
of
flick
it
back
just
temporarily,
if
needed,
would
be
good.
D
C
A
C
So
so,
when
we
were
looking
at
this
last
time,
we
talked
to
some
other
groups
that
were
using
bold,
especially
the
open
source
version.
They
had
a
bug
where
they
had
not
only
did
their
vols
instances
go
down
with
corruption,
but
their
backups
for
a
week
since
they
upgraded
vaults
were
also
corrupted.
C
So
I'm
not
I'm
not
trying
to
cover
every
scenario,
because
that
was
obviously
a
very
specific
and
rare
scenario,
but
I
think
once
again,
just
just
in
case
the
vault.
The
vault
ecosystem
has
something
wrong.
What
what
would
be
the
options
there
considering?
These
are
just
environment
variables.
We
can
populate
yeah.
C
I
do
think
just
like
trying
to
keep
like.
I
know
we
don't
get
streaming
replication,
but
even
just
like
up
to
like
a
a
you
know,
a
master
that
we
just
have
a
job.
That's
kind
of
manually
syncing
it
because
most
of
the
time
secrets
won't
change.
So
it's
not
a
big
deal.
It's
more
about
availability,
some
kind
of
hack.
We
can
do
to
try
and
keep
some
secondary
availability.
I
think,
could
be
nice
like
that,
might
be
good
enough.
C
You
could
consider
doing
something
like
an
export
to
plain
text
or
something,
and
then
gpg
encrypting
that
as
well
and
putting
it
in
a
gcs
bucket.
Maybe
that's
overkill.
I
don't
know
it's
just
it's
just
thinking
about
different
ways
to
really
build
that
confidence,
so
that
in
an
absolute
failure
you
know
in
the
failure
scenario
we
have
a
clear
understanding
of
how
we
need
to
get
those
things,
so
we
can
keep
moving.
C
I
think
that's
the
key
key
takeaway,
but
I
think
if
we
can
just
make
sure
we
keep
a
I'd,
be
just
fine
with
like
a
secondary
one
running
in
us
west,
maybe
and
then
yeah
like
once
an
hour
half
a
day.
We
just
like
snapshot,
restore-
and
you
know
obviously
paging
the
ocs.
If
that
doesn't
work,
and
things
like
that,
that's
probably
just
good
enough
and
then
making
sure,
and
even
in
delivery.
We
do.
C
C
Yeah,
that's
right
just
something
like
that.
I
think
really
just
to
make
the
confidence
so
that
those
you
know
we
don't
in
the
case
of
being
down
and
we
like,
we
actually
really
do
need
to
run
ci
pipelines.
It's
an
it's,
not
something
that
needs
discussion.
There's
just
a
rumble
like
this
is
exactly
what
you
need
to
do.
Boom
change
it
over
to
this
and
just
away
you
go
so
that
you
know
delivery
and
everyone
else
can
just
easily
follow
that.
I
think
that's
the
key
yeah.
B
For
cases
like
ci
variables
and
stuff,
like
we
already
have
in
place,
I
was
thinking
I'm
just
like
leaving
both
running
sure
yeah.
Oh
yeah,
yeah.
C
I
think
the
thing
is
probably
what
needs
to
be
done
as
well,
and
this
isn't
really
reliability's
job
is
probably
an
audit
needs
to
be
done
on
some
of
them.
I
I'm
not
sure
if
we
need
all
of
them,
there's
probably
a
lot
that,
because,
because
the
ones
we
add
into
the
ui
we
they're
not
in
git,
we
have
no
git
history.
We
don't
know
who
added
them
when
or
whatever.
C
So
I
at
the
risk
of
making
this
project
take
longer,
but
at
some
point
someone's
probably
going
to
need
to
when
we
move
them,
probably
audit
them,
it
could
be
good
to
get
security
involved.
They've
got
infrastructure,
security
now
and
like
say,
hey,
look
we're
moving
all
these
over
and
get
them
to
like
document
where
they
are,
where
they're
coming
from
who's
using
them
and
stuff
like
that,
like
it
could
be
some
joint
work,
you
could
do
there,
but
yeah
that
makes
sense.
C
A
One
thing
we
did
at
the
first
opening
is:
we
ability
had
like
fully
accessible
secrets
and
stuff,
like
you
could
view
create,
did
it
and
everything
and
the
developers
had
access
to
that
group
and
they
could
create
secrets.
A
B
C
C
B
Yeah,
at
least
will
give
us
way
more
possibilities
and
we
currently
have
which
academics
and
stuff
now
we
want
to
go
forward
in
restricting
access
and
all
of
that
yeah.
It's
nice.
We
are
a
bit
over
time,
but
thanks
everybody
for
joining,
and
I'm
glad
that
there
was
a
good
discussion
and
thank
you.