►
From YouTube: Vault as a GitLab Managed Application
Description
Follow the issue here: https://gitlab.com/gitlab-org/gitlab/issues/9982
A
And
all
right,
we're
here
with
Graham
an
SRE
here
at
get
lab
and
we're
gonna
talk
a
little
bit
about
a
project
he's
working
on
about
adding
vault
as
a
get
lag,
manage
application,
and
this
is
related
to
something
in
the
secrets.
Management
category
called
allowing
a
user
to
set
up
vault
in
a
kubernetes
cluster.
So
I'll.
Let
you
take
it
away
and
kind
of
talk
a
little
bit
about
what
you're
doing
yep.
B
Sure
so
the
kind
of
texts
that
back
on
me,
like
the
initial
kind
of
starting
points
of
this
work,
was
actually
based
off
the
use
case
and
requirements
for
the
get
web
infrastructure
team
itself
which
so
we
running
did
lab
comm,
obviously
which
is
but
arguably
the
world's
biggest
installation
of
Gettler.
So
it's
quite
big.
It's
got
quite
a
lot
of
complex
infrastructure
to
it.
B
What
we're
doing
as
a
team
at
the
moment
is
we
have
a
few
different
mechanisms
of
doing
what
we
call.
You
know,
secrets
management,
I,
guess
you
could
say
the
big
one,
the
big
things
being
like
username
passwords
and
then
also
one
thing.
That's
very
important
to
us
that
we're
managing
ourselves
at
the
moment
is
internal
certificate
manager.
So
all
of
the
ssl
certificates
for
all
our
publicly
facing
websites,
and
then
we
have
a
bunch
of
internal
services.
The
customers
don't
see
that
we
want
to
be
encrypted
by
TLS.
B
So
we
want
to
do
a
lot
of
certificate
management
stuff
related
to
that.
So
currently,
as
a
team,
we
utilize
chef
for
our
infrastructure
management,
and
then
we
have
certain
Hawk's,
plugins
and
workflows
around
chef
to
hook
into
Google,
Cloud
storage
and
Google
Cloud
kms,
so
the
key
management
system
there
to
basically
store
all
our
secrets
and
encrypts
them
and
then
pull
them
out
by
a
chef
and
then
deploy
them
on
the
service
as
needed.
But
this
has
a
raft
of
shortcomings,
including
it's.
The
integration
is
all
written
by
us,
so
it's
very
cumbersome.
B
The
integration
is
it's
tricky
if
you
want
to
it's
not
really
easily
to
automate
at
the
moment,
and
one
of
the
big
things
is
with
the
migration
of
get
bad
comm
slowly
to
kubernetes,
as
well.
All
of
the
work
we've
done
on
the
chef
integration,
kind
of
gets
thrown
away
because
moving
to
kubernetes,
basically
we're
not
using
chef
anymore.
So
one
of
the
things
we
discussed
was:
how
do
we
do
secret
management
as
a
whole?
That's
all
like.
How
do
we
as
a
team
internally,
do
that?
B
That's
a
full
gitlab,
calm
and
so
I've
had
experience
with
all
in
the
past
and
I
think
to
be
fair.
I've
only
been
in
the
company
six
months,
but
before
I
started.
That
was
already
on
the
basically
a
design
that
we
should
look
at
you
using
hash
code
bolt
internally
to
centralize
the
last
secret
management,
there's
a
raft
of
other
benefits.
Obviously
things
like
order
to
better
to
be
better
quick
policy
control
things
like
that,
so
it
was
overall.
B
Just
how
can
we
bring
all
of
the
secrets
we
have
which
are
managed
in
multiple
locations
together
on
one
system
and
then
how
can
we
just
kind
of
use
that
to
drive
better
security,
better
automation,
a
better
deployment
patterns
that
things
like
kubernetes
and
redeployment
scenarios
and
things
moving
forward?
So
I've
been
working
on
that
on
and
off
past
three
months
in
the
infrastructure
team
we
kind
of
get
of
priorities
focused
around
various
times,
depending
on
what
we
need
to
do
and
what
get
laptop
comms
doing.
B
B
Changing
the
way
they're
doing
the
gitlab
managed
apps
before
it
was
like
click
buttons
in
the
UI
and
underneath
the
covers
it's
at.
We,
the
installation,
is
coming
from
the
rails,
whether
we're
is
now
they're
moving
to
having
the
apps
installed
via
CI,
and
they
just
check
their
basically
the
changing
the
whole
model
of
how
to
get
that
cotton
product
does
get
lab,
managed,
apps
and
what-have-you,
and
one
of
the
things
I
noticed
this
part
of
that
was
I
found
an
issue
saying
hey.
B
We
would
like
people
to
have
volt
as
a
get
web
manage
tab
deployed
via
CI
on
to
kubernetes,
and
there
was
another
issue
that
users
want
that
are
like
CI
integration
and
get
lab
integration
into
bottom.
So
I
actually
saw
an
opportunity
here,
because
I'd
done
a
bunch
of
deployment
work
around
volt
on
kubernetes,
which
is
basically
we
just
keep
it
in
a
repo
for
ourselves
used
for
our
own
work.
B
I
was
like
I
can
actually
tweak
that
and
actually
modify
that
put
it
into
the
merge
request
that
I've
put
up
here
for
get
lab,
managed
up
CI
and
then
essentially,
it
makes
it
into
the
get
lab
product
and
no
longer
am
I
kind
of
managing
a
deployment
process.
The
fault
itself.
It's
basically
will
do
the
same
ways.
The
product
like
we
can
just
leverage
that
just
the
same
way
we
leverage
on
the
pieces
that
get
labs
managed
apps
like
ingress
helm
and
its
Prometheus
and
all
the
other
stuff.
B
So
it's
just
a
case
of
what
we
were
doing
stuff
by
yourself
and
looked
like
the
product
wanted
to
take
that
as
well.
So
I
could
just
move
that
over
there
and
then
I'll
basically
get
rid
of
all
my
kind
of
I
guess
you
can
say
local
fork,
work
or
whatever
and
we'll
just
go
back
to
doing
getting
lab,
managed
app
stuff,
so
once
again
was
primarily
driven
by
our
use
case
internally-
and
it's
certainly,
you
know
when
this
Mo's
request
kind
of
gets
massaged
and
get
gotten
to
a
point
where
it's
kind
of
workable.
B
Running
not
only
vault
for
us
to
run,
get
lab
comm,
but
also
running
bolt
is
essentially
a
managed
service
so
that
people
using
get
lab
comm
can
say
you
know,
look
I've
got
passwords,
I've
got
secrets,
they
can
basically
push
them
into
a
vault
instance
that
we
run
on
their
half
so
that
their
deployment
pipelines
and
everything
can
can
make
use
of
that.
So
they're
two
separate
use
cases.
One
is
like
I
guess
you
can
say
vault
for
customers
and
then
there's
like
vault
for
us
as
a
company
internally
yeah.
B
So
that's
a
good
question
so
vault
out
of,
if
you
look
at
every
get
lap
managed
app.
We
have
so
far.
Most
of
them
are
fairly
simple
and
very
straightforward
and
what
they
do
in
their
purpose.
Things
like
certain
stuff,
you
know,
get
your
certificate
or
if
the
English
controller
or
allow
you
to
expose
kubernetes
pods
easily
vault
is
probably
the
most
complicated
app.
We
have
potentially
going
into
get
lab,
managed,
apps
and
there's.
Certainly
no
kind
of
I
mean
we.
The
goal
would
be
to
tack
on
some
kind
of
click.
B
Button,
bolts,
they're,
one
size
fits
all
kind
of
philosophy,
but
due
to
the
nature
of
a
the
complexity
involved
and
be
the
user
space
it
occupies,
which
is
trying
to
go
for
secrets
and
high
level
of
security,
you
need
a
nun.
You
need
a
non-trivial
amount
of
knowledge
to
run
vault
itself.
So
certainly
this
work,
if
you
want
to,
if
you
are
a
person
who
knows
not
quite
well,
you
could
use
this
work
and
click
a
button
and
get
fault
instance
up
and
running.
But
then
it's
like
well.
B
What
do
I
do
now
that
it's
running
certainly
becomes
much
more
of
a
different
and
more
interesting
story.
On
top
of
that,
there's
probably
like
a
lot
of
the
other
get
lab,
managed
apps,
where
there
might
be
one
or
two
settings
you
tweaked
slightly
vault
is
very
much
a
very
tweet
per
user
customer
area.
It's
very,
very
heavily
tweet,
because
you
have
got
things
about.
How
do
you
or
think
to
take
the
vault?
Are
you
using
like
something
like
rocks?
Are
using
Google
Cloud
using
something
else?
B
Then
there's
also
the
storage
underlying
storage
of
Bill,
the
secret
management
stuff,
for
example,
where
on
Google
Cloud,
so
we
used
a
Google
kms,
but
if
you're
an
Amazon
you
use
I
am
if
you're
on
Microsoft,
you
use
something
else.
If
you're
on
premise,
as
in
one
of
our
many
on-premise
customers,
then
there's
completely
different
raft
of
options,
so
it's
kind
of
like
you
need
to
date
day.
The
upstream
documentation
can
be
like
you
know.
B
You
could
do
this
and
dad-
or
you
could
do
this
in
a
kind
of
development
mode,
but
we
have
to
be
careful
because
we
can
definitely
set
them
up
some
same
defaults,
but
we
do
not
want
to
give
people
a
false
sense
of
security
or
make
it
yeah
like
I
can
make
it
clear,
and
you
know
what
that
the
pros
and
cons
of
what
they
get
out
of
it.
Like.
B
Yeah
and
I
think
in
the
past,
with
the
get
lab
managed
that's
a
version,
one
that
was
almost
impossible
for
us
to
do
because
of
the
user
interface
and
experience
was
very
limited
and
what
we
could
do
with
the
Alpha
of
gitlab
managed
that's
v2
via
CI
Dave.
Basically,
now
like
it
is
very
easy
for
you.
If
you've
read
the
documentation
to
that,
and
you
know
advance
to
go
okay
right,
I
do
want
get
back
to
deploy
my
vault
and
I
would
like
it
to.
B
You
know:
I
sent
to
Kate
to
this
and
set
up
some
storage
backed
onto
this
for
me,
and
that
can
do
it
and
that
can
still
I
feel
and
that's
what
we're
gonna
be
using
it
for
provide
a
lot
of
value
around
the
upgrade
and
management
of
alt
itself.
In
a
bit
of
you
know
that
integration
in
terms
of
being
a
gitlab
managed
up
and
get
an
overview
of
what
cluster.
Basically
the
whole
gitlab.
B
Kubernetes
may
look
very
nice
that
we
want
to
leverage,
but
you
know
there's
still
that
I
still
need
to
be
like
telling
the
get
web
managed
up
quite
a
bit
of
information
of
how
I
particularly
want
things
to
just
shake
out.
Okay,
then
there's
also
the
question
of
once.
You
have
volt
up
and
running
the
way,
you
kind
of
say
what
this
user
can
do
this
or
this
CI
job
can
have
this
secret.
The.
B
B
You
do
you
know,
so
if
we,
when
we
kind
of
get
to
that
point,
where
are
kind
of
doing
the
offering
for
customers,
is
the
idea
to
be
like
you
know,
here's
well
for
secrets,
you
manage
your
secrets
in
here
for
CI
jobs
for
get
lab,
work
and
stuff,
and
not
just
for
anything
outside
of
get
work
like
it's
conceivably.
We
could
expose
a
public
vault
end
point
that
people
authenticate
to
you
and
have
anything
in
their
entire
infrastructure.
A
B
B
A
Manage
all
of
that,
so
if
we're
looking
at
us
being
end-all
be-all
for
someone's
workflow,
it
makes
a
lot
of
sense
and
in
managing
issues
and
we
provide
an
integration
to
ServiceNow.
We
have
a
whole
other
external
all
system
that
we're
going
to
be
managing
notifications
and
workflows
from
so
that's
like
super
visionary
pop
yeah.
A
A
B
Space
and
lock
and
unlock
their
own
parts
of
the
vault,
so
they
can
actually
get
a
bit
more
control
over
that
as
well.
So
I
just
want
trying
to
understand
the
direction
of
vote,
whether
it's
like.
Oh
no.
We
just
want
to
use
it
for
like
co-inventor
spots
or
it's
actually
something
we
do
potentially
see
as
a
generic
solution
for
customers,
which
sounds
like
the
latter,
which
is.
A
B
A
We
need
a
more
secure,
robust,
offering
there
as
a
part
of
just
a
CI,
CD,
workflow
and
vault
can
be,
and
will
be,
the
solution
for
that
and
then,
as
we
build
more
and
more
on
top
of
it,
we'll
be
able
to
like
inject
better
value
for
our
users,
but
I'm
very
interested
in
this
get
lab,
managed
application
and
kind
of
wondering.
How
can
my
team
help
move
this
along?
What
are
some
things
that
you
feel
like?
We
would
need
in
order
to
bridge
the
gap
between
the
internal
use
case
and
an
external
user.
B
Really
ya
know
I
think
we're
in
a
relatively
good
space
with
that
notional
Chris.
It's
it's
back
to
me
now.
Did
you
a
little
bit
of
work,
but
that's
mostly
just
like
tweaking
and
rebasing
some
stuff,
because
they've
changed
some
stuff
and
the
second
part
I
think
will
be
I
need
to
do
some
documentation
or
be
you
know
more
than
happy
for
your
team
and
anyone
else
to
have
a
review
of
both
from
a
technical
side
of
how
this
works,
and
it
is
this
correct
and,
moreover,.
B
Also,
just
a
making
sure
we
get
the
wording
right
for
customers,
so
they
understand,
you
know
what
what
it
is
and
the
limitations
and
what
they
what
they
get
on,
what
they
don't
get
out
of
the
box
kind
of
thing,
because
more
or
less
what
will
happen
is
the
user
experience
would
be.
Certainly
you
didn't
like
being
chicken
box
or
whatever.
B
It
is
and
say:
yeah
I'm
like
vault
installed
and
here's
my
cluster
set
up
and
away
I
go
and
it
will
run
it
will
install
and
set
itself
up
correctly,
but
actually
there's
there's
a
few
different
post
installs
that
people
need
to
do
that.
We
that
I'm
not
going
to
handle
or
automate
because
they
involve
setting
getting.
B
It's
got
to
be
a
kind
of
a
case
of
you
know
if
you
wish
to
insource
getting
that
manager
when
the
app
is
installed
excessively,
perhaps
maybe
some
reference
to
the
vault
documentation
of
the
vault
is
a
lot
you
need
to
unlock
it.
Take
your
master
keys
and
you
know,
put
them
away
and
then
once
that's
done,
you
can
now
validate
that
it's
available
and
then
what
have
you
tries
to
do
from
there
kind
of
thing
is
right.
A
A
Cluster
they're
gonna
have
to
like
configure
their
a
Perl
if
they're
gonna
use,
machine
or
they're
gonna
have
to
authenticate
with
you
get
lab
or
github,
like
whatever
they'll
still
have
to
choose
their
their
juice
of
what
they're
gonna
be
getting
in
order
for
it
to
work,
because
we
don't
really
support
that
natively.
Yet,
obviously,
yes,.
B
B
And
I
think
there's
a
there's,
a
good
question
there
to
be
asked
how
we
get
lab
need
to
manage
that
information.
Somehow,
whether
it's
we
come
up
with
a
way
to
manage
that
just
forget,
lab
internally
or
whether
where's
an
opportunity
here
for
us
to
figure
out
a
way
to
manage
it.
That
could
also
be
somehow
fed
back
into
the
product
to
make
it
easier
for
users
to
manage
it.
Read
that
makes
sense
right.
B
I
could
call
ready
that
I'm
like
yep
setting
up
this
and
setting
up
that
involved
and
it's
sitting
in
a
repo
anywhere
and
I,
don't
think
anyone
else.
Besides
the
level
user
they're
just
kind
of
severe
it's,
it's
all
mapped
to
our
get
lab
form,
structure
and
stuff,
but
I'm
certainly
happy
to
if,
if
there's
a
way,
I'm,
not
even
sure
what
that
looks
like
yet.
But
if
there's
a
way
we
can
be
like.
B
A
Makes
sense
so
we
can.
We
can
iterate
on
that
when
you're
ready,
when
that's
appropriate,
I,
think
from
a
from
like
an
immediate
next
steps
of
the
vision
and
how
we're
partnering
with
hashey
Corp
and
like
what
we're
looking
to
do
from
an
integration
standpoint.
There's
a
couple
of
like
proof
of
concepts
out
there.
One
is
using
kind
of
an
identity,
API
and
relying
on
JW
T's
to
pass
through
tokens
from
users
that
have
been
authenticated
and
then
there's
another
POC
where
get
lab
and
vault
has
authenticated
in
any
given
method.
A
A
There
are
two
different
kind
of
use
cases,
but
this
would
require
get
lab
to
fetch
on
the
rail
side,
a
secret
from
vault
and
then
pass
that
and
then
the
runner
would
run.
So.
Those
are
the
two
proof
of
concepts
that
are
kind
of
out
there
today,
and
so
both
of
them
rely
on
the
rail
side,
handling
these
seeds
in
tokens,
rather
than
something
being
passed
in
the
runner,
mainly
because
one
shared
runner
could
be
a
really
big
nightmare
for
handling
multiple
credentials
and
shared
runners.
A
B
A
A
B
B
That
case
I'm,
using
the
upstream,
how
she
caught
basically
helm,
chart
vault
installation
as
it
which
I
think
is
only
open
source.
Only
so
that's
something
we
may
need
to
go
back
to
them
and
say
hey
if
you,
if
you
want
us
to
do
enterprise
stuff,
you
need
to
make.
There
needs
to
be
work
to
support
that
to
the
enterprise
as.
B
A
So
this
is
where,
like
we
see
a
fork
in
our
use,
cases
is
that,
even
if
the
long
term
vision
is
to
be
like
get
lab
as
a
company
wants
to
provide
the
most
secure
way,
natively
to
handle
secrets
and
Hoshi
Corp
as
the
market
leader
for
this
solution,
is
the
person
company
that
we're
going
to
rely
on
for
that?
But
there's
also
this
use
case
that
customers,
like
I've,
had
my
vault
for
years.
This
is
the
hash
to
court.
Vault
I
want
to
use.
I
need
to
be
able
to
use
my
vault
with
it.
A
So
we
would
want
to
suggest
to
Hoshi
Corp
that
our
users
experience
should
be
universal
with
salt.
You
know
like
they
shouldn't
we
shouldn't
if
a
customer
wanted
to
upgrade
using
from
from
their
from
their
help
chart.
You
know,
like
that's,
only
supported
no
SAS
to
enterprise.
They
should
be
able
to
do
that
or
they
wanted
to
downgrade
from
enterprise
and
point
it
to
a
he'll
turn
instance.
They
should
be
able
to
do
that.
Gotcha
like
this
is
where
we
start
thinking
about
replication
in
Federation
and
and
how
we're
gonna
support
that
as
well.
A
B
Yeah
now
that
makes
sense,
yeah
I,
think
that
makes
sense
yeah
from
the
deployment
side
like
we
handle
like
what
we've
got
so
far,
and
what
I've
put
up
there
we'll
handle
things
like
hey
CheY
will
handle
a
few
instances.
It
can
do
rolling
upgrades
and
stuff.
The
only
thing
it
doesn't
do
is
kind
of
cure
replication,
but
there's
a
there's,
a
bigger
story
around
you
live
in
geo
replication
and
the
status
of
that
anyway.
I
think
so.
A
B
Regional
support,
yeah
and
because
volt
potentially
for
us
internally,
you
know,
will
be
basically
one
of
the
most
important
core
services
that
we'll
have.
Obviously,
if
we
haven't
got
access
to
polynomials,
we
can't
set
anything
up.
You
know.
Geo
support
for
volt
might
actually
be
one
of
the
first
things.
We
need
kind
of
thing
like
anything.
If
that's
a
basic
underlying
service
database
is
probably
another
one
right
like
anything.
That
kind
of
sits
underneath
everything
and
is
like
really
important
to
have
it's
actually
probably
a
bigger
target
for
us
for
geo.
B
A
A
B
A
B
A
B
I
was
just
actually
on
top
of
that
cuz
getting
into
well
just
an
idea.
It's
just
kind
of
fairly
out
of
left
field.
I
do
know
that
both
actually
had
some
kubernetes.
They
had
a
kubernetes
operator
or
there
was
one
in
the
works,
and
there
was
a
bunch
of
tributaries
in
native
ways
to
manage
policies
and
stuff
involved
which
I
never
got
the
time
to
look
down,
but
that'd
be
actually
I'd,
be
interested
in
hearing
hashey,
corpse
side.
B
Could
if
they
can
do
vault
management
in
Native
communities
and
native
objects,
that
is
both
surpassed
me
and
get
live
infrastructure
want
to
take.
We
want
to
push
management
of
everything
into
communities
like
custom
resources
and
stuff
and
baby
for
the
gitlab
managed
upside.
It
would
make
it
infinitely
easier
because
you
could
have
a
Gibbler
managed
app.
That
was
essentially
your
fault
like
you
would
have
a
good
web
managed
that's
involved
itself,
and
it
would
be
very
easy
to
then
have
a
get
that
managed
app,
which
is
essentially
like
all
your
vaulting
click.
B
Consider
or
I'd
stand
instead
of
all
configuration
applied.
On
top
of
that
is
that
the
moment
you
kind
of
got
it
either
doing
with
curl
commands
or
CLI
commands
or
we're
using
terraform,
but
I
dealing
with
the
whole
push
for
cloud
native
is
if
we
have
communities,
custom,
resource
objects
and
then
an
operator
that
can
interpret
them
and
apply
them
to
avoid
incidents.
That
would
be,
if
you
need
gold
stand-in
for
us,
say.
B
Would
like,
if
possible,
vault
configuration
management
done
via
kubernetes
native
resources
using
an
operator
or
CR
DS
custom,
resource
definitions
and
I
said
I
think
it
exists,
but
I'm
not
sure
if
that's
supported
officially
by
vault
or
if
he's
done
the
work
or
what
status
it
said,
or
anything
like
that.
So
it's
dad
knows
something
about
that.
Anything
I
would
be
interested
in
finding
that
out.
Okay,.
A
Let
me
share
this
with
you
and
let
me
know
if
there's
other
questions
that
you
may
have
on
this.
Your
time
zone
might
actually
work
out.
I
could
probably
include
you
in
those
meetings
with
Hoshi
Clerk,
so,
even
if
you
just
wanted
to
like
listen
in
or
ask
questions
you're
more
than
welcome
to,
but
I
lack
this
to
you.
So
if
you
have
any
other
questions
for
Hoshi,
Corp
just
drop
it
in
the
in
the
next
meeting.
B
David
Smith,
my
I've,
already
pulled
me
in
on
that,
but
I'll
I'll
double
check.
Also
I'll.
Send
you
the
link
to
this.
So
this
document
here
is
probably
an
accurate
summary
of
all
of
our
work
so
far,
including
how
we
deploy
of
all
the
to
app
roles.
We
were
setting
up
to
authenticate
users
against
gitlab
and
machines
against
Google
and,
like
just
a
bunch
of
policy
and
a
bolt
whole
bunch
of
other
work,
so
it's
kind
of
going
in
there
so
that
this.