Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Release Stage / 20 May 2020
GitLab / Release Stage / 20 May 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Vault Review & Discussion with Brad Downey

Description

Quick Chat on https://gitlab.com/gitlab-org/gitlab/-/merge_requests/31831

A

Oh okay, as.

B

We were saying the sake about recording, so the biggest thing that I think vault integration brings is that separation of duties, and so that's a lot of times. This is the conversation, however, the customer like today we can do environmental variables and I. Don't love the fact that you can reveal them, but that's totally like that's a very minor thing, we're looking.

A

To fix that too, so, actually.

B

Come in super handy because I've forgotten my token too much time so I just go back there and I get him back. um Not the best. I know.

A

Right.

B

Like that element is like that's one, the dev team has the secret; they put it in their the permissions level for the project dictate whether they can see that or not they're, not super fine-grained and they're intermixed, with like everything else right like the ability to merge to master is the same permission as to add a secret right.

B

So what vault brings is that separation of duties, where a secured team or an infrastructure team or a cloud team or somebody else, who's whose job it is to create and manage secrets they put them in vault and then and then the dev team consumes that in an automated fashion, where they like, they don't have to do anything they're.

B

They get the latest secrets. It's just easy for them to consume right and then, ideally, they don't have any access. So my video, the one might I, did I spent more time on the vault policy than probably anything else. Trying to understand that of like how do I get it where, when I log in as Brad I can't see the secret, but maybe I can update it or maybe I can create a new version of it or something like that where I had some interaction. This is all vault policy by the way.

B

But my Runner has the ability to actually see the secret right like I, want them to see.

B

I want runner to see the key value, because that's where rubber meets the road where they actually need to execute on it, and so I followed the issues of this vault integration and the yellow, like the proposal in the MRE to set me, is one really long and then I started reading in the comments, and it looks like and I'm pretty far down here, because I've been reading the issue ones, but I realize there's more discussion in this I mark that I wasn't following the proposal of moving in two variables seems really interesting and like I'm I'm, like halfway through this story, like I, met I'm at the peak right.

B

So my my initial thoughts are one. Can we create a separation of duties right, like that's a business objective number one? How does a security team be able to manage the secret get just the amount of data that they need to get to the dev team and the dev team consumes that in the least amount of configuration possible right and then they they really shouldn't have access to those secrets if they're being consumed via pipeline, there's probably ways to work around it, but that's you you're gonna, be hard-pressed to avoid that.

B

So the what I spent a lot of time trying to understand was okay, I I, do terraform code and stuff like that, and so I need cloud keys to deploy to deploy infrastructure like that's the demo I've been using or that's kind of the use case I'm using for vault secrets, so I've officially been able to move all of my secrets out of get lab into vaults and now I can can I can deploy all my infrastructure through through both integration kind of an advanced version of the demo that I recorded and I've got all that code.

B

The challenge I found was the application that I'm deploying really depends on environmental variables, so I needed my secrets originally were in gitlab and they come down as environmental variables. That's a well-known pattern. It's worked amazing.

B

The now that I introduced vault I created like way more steps to like get the secrets from vault load it into runner the authentication and then push them into environmental variables and so I'd. To do this every step of the way and with the way I've got my project set up. I need secrets pretty much at every job, so like I've got three or four jobs in a pipeline. I need to do this for every single nut job. It's not just the final like deploy to production.

B

One like I need the database secret for this final deploy right. So every I'm, taking the hit of logging into vault, getting the secret loading into environmental variables. My tokens expire every 60 seconds, so I need something. That'll, Auto renew the token, so I can continuously get that that secret, maybe I, have secret a in the very beginning of the job at secret B.

B

At the end of the job and I need to be able to do that, so all of those things kind of came to light as as not shortcomings, but things I had to account for her.

B

So I found a couple of things to help me so I was hesitant to use just random code off of github, so I found env console, which is a small tool that hash ich where paths and they have it for it, supports both vault and and their console product, so console being their key value thing and then vault just being the secure version of that I. Think and then they say in their documentation.

B

Hay vaults, great for secrets, but if you need to get them into environmental variables, use this tool, and so that's what I did I use, D&B console to say: okay, you're going I'm, gonna feed you a config file. That'll, have all the information about how to authenticate to vault. Then your job is to consume the secrets out of vault load them into environmental variables and I'll. Let you transform them because they might be in a different format in vault and you want them in your environmental variable.

B

It might be lowercase DB password when you really need uppercase, DB underscore password or something right. So there was a translation mechanism, all these things and then that loaded into my rental variables it handled all of the reactant ocation and the token expiration, and all that and then I was able to execute my job. But there was a lot of there there there's there's a lot of I, don't see drawbacks to it, but it's kind of a manual hack, great yeah.

B

So what I would love in our integration is to take all of that hacky work out of the way and jump straight to the point of being able to I've got a secret as an environmental variable, and that's it like I give I ate Lu where the secrets located and what environmental variable I want it to look like, and and that's it right, and then there might be some additional information on authenticating to vault or something like that, which I think we can have global snippets or you know local or a config file, I've, seen kind of all those different things proposed, there's probably pros and cons to both.

B

Does that make sense? Let me just stop rambling for a second yeah.

A

I know it makes sense, that's kind of why I sent you this MRR to get your feedback on. If you feel like this instrumentation that we're going down would solve your initial ask of yeah.

B

Removing.

A

Like the crunchiness and the manual lift that you had to do to leverage the JWT as part of your project, I've.

B

Read I've read until Camille's idea, one an idea to I haven't read that yet, but that's where that's where I'm, that's, where I'm getting okay and then my question would be, is how would I woods best for a feedback? I'd, probably just posted in this, mr is usually the most preferred I I'm, just bad at that I.

A

Blame that.

B

I am typing everything, but.

A

That's total, that's totally. Okay, I would say it would be helpful to get your perspective in this. Mr because, again, like the more fine details like I, can of course reiterate to Camille that yeah I'd be great. If we can just get all of the vault secrets as environment variables inside of get lab, that doesn't really give us the like the tangible yeah yeah.

B

Right.

A

Now the the mo file limiting in a couple of ways and that the configuration for fall, it's still super manual, yeah.

B

Yeah, the.

A

Copy/Paste thing and then, of course we have, like you, know hard coding of those like off methods that are in that animal file versus at having versus at leveraging. You know a very.

B

I.

A

Think what I did here from your from your narrative there is that, if we're able to abstract the manual lifting of entering in token reference variables into get lab and remove that step completely and have that be automated, that would reduce a lot of this back and forth. You were having to do between fall, UI and Gil AB you I yeah.

B

The other thing and I've seen this kind of being debated is where some of the stuff implemented is it in rails or is it in runner right like whose job is it to pull these secrets and I'm sure, there's pros and cons? We.

A

Already decided on the runner implementation for this, so that's in a different, mr. This is more like what rails is what logic rails will be handling yeah.

B

But.

A

Runner will already be fetching those secrets from directly yeah from vault, and that's this, mr right here. Okay,.

B

So.

A

The runner side is really efficient. We have the definition already built out and we are proceeding with our work that should be shipped in like 13.1, this syntax for the CI and how the config will be processed on the rail side is what we're trying to hash out right now. Yeah.

B

Gotcha, okay, well, I mean we'll get customer feedback on it because I think it's for me. It could be both ways right, like just one I think we want a per job authentication like we want it as tight as possible, so that makes a ton of sense.

B

Runner may not always be able to access vault, which might be problematic right because we might have connectivity. Issues like runner is out in a cloud VPC somewhere and vault exists, centralized in maybe an on-prem data center, okay, that might be problematic, but that could be a Reb, we'll figure that out. Okay, let me let me finish, reading and look through those those elements of it and I think I so far, I'm liking the variables syntax, because I think that's kind of straightforward and it creates an automatic mapping between them.

B

So let me let me finish. Reading that and then I'll put some feedback into the EMR and we can always do another live session. If we want.

A

Thanks.

B

Doc, I really.

A

Appreciate it I will, after you're done decomposing this, so I would love to have another coffee chat with you to attract your separations of duties issue a little bit more yeah I. Have this other work stream that I'm partnering with I'm sure you probably have to go, but um the second issue is chatted out is adding a role to give a very distinct, like deployer permission, to get labs that doesn't give people access to the source code because.

B

That's yeah interesting thing.

A

That we have today is that there's no separation between who can deploy, who can't then mr proving and pushed rules yeah.

B

You got interesting, that's that's come up in customer conversations too and I think without reading your stuff there, as your DevOps, makes a big claim around that they're like oh, we we have very tight controls of who's allowed to do deploys and things like that and I've had a number of Microsoft customers who have come back to me. They're like so. What's your story around this exactly.

A

So.

B

Ok, cool well.

A

Thank.

B

You time.

A

I appreciate it, let.

B

Me look at.

A

Anything.