Add flag for disabling GitLab secrets handling
What does this MR do?
MR adds a flag to configure if the Toolkit should handle propagation of GitLab Secrets and SSH keys in multi-node setups. Disabling is an advanced use case and secrets must be propagated in full by the user via Custom Tasks / Cloud Native Hybrid Custom Secrets Tasks including the handling of reconfigure
calls, etc... For example:
- Omnibus - Use Custom Tasks as normal to propagate secrets as destired (note that an omnibus reconfigure will likely be required as well).
- Cloud Native Hybrid - Use Custom Secrets task file (named for Kubernetes secrets but can apply for both) to copy the secrets over.
- Note for Geo, after reviewing how it works, the same approach should work as you would be pulling secrets from the same source so a separate task wouldn't be required here - You would just run the same Omnibus and Cloud Native Hybrid custom tasks files as the primary.
This is intended as a temporary path as we await a new product solution for secrets.
Related issues
Closes https://gitlab.com/gitlab-org/gitlab-environment-toolkit/-/issues/532
Author's checklist
When ready for review, the Author applies the workflowready for review label and mention @gl-quality/get-maintainers
:
- Merge request:
-
Corresponding Issue raised and reviewed by the GET maintainers team. -
Merge Request Title and Description are up-to-date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline -
MR has no new security alerts in the widget from the Secret Detection
andIaC Scan (SAST)
jobs.
-
- Code:
-
Check the area changed works as expected. Consider testing it in different environment sizes (1k,3k,10k,etc.). -
Documentation created/updated in the same MR. -
If this MR adds an optional configuration - check that all permutations continue to work. -
For Terraform changes: set up a previous version environment, then run a terraform plan
with your new changes and ensure nothing will be destroyed. If anything will be destroyed and this can't be avoided please add a comment to the current MR.
-
-
Create any follow-up issue(s) to support the new feature across other supported cloud providers or advanced configurations. Create 1 issue for each provider/configuration. Contact the Quality Enablement team if unsure.
Edited by Grant Young