Skip to content

Add new function for reading/writing encrypted config files

DJ Mountney requested to merge encrypted-credentials into master

What does this MR do?

This introduces a new function that supports reading/writing encrypted config files using a new provided key in secrets.

Why

This is intended to be used to pass encrypted credentials to gitlab as part of work towards providing encrypted ldap credentials, without having them stored in plaintext. #238483 (closed)

Related MRs

This section was split off from the ldap credentials specific work so that we can review the introduction of the encryption functionality, new key, and support for future rotation seperately from the ldap credentials file itself.

Additional Details

  • The base key is only generated if you have an env variable set. See the docs in this MR: !48090 (merged)
  • There is internal support and tests for providing keys for rotation, as a forward looking item to show it can be supported, but I don't think we will actually handle the rotation story as part of this MR. We just want to ensure we can support it in the future.

Relates to #238483 (closed)

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Andrew Kelly

Merge request reports