Overview

This documentation outlines the processes and techniques utilized by the GitLab CE project for storing and managing secrets in a production environment. The focus will be on code examples and configurations found within the project’s Docker setup and its handling of sensitive information.

Storing Secrets in Docker Images

Secrets in GitLab are managed carefully to mitigate exposure and ensure security. The approach involves incorporating third-party tools and following best practices for secret management.

Using 1Password CLI

The project integrates 1Password CLI to securely handle secrets. The installation of 1Password CLI is performed in the Dockerfile, as shown below:

##
# Install 1Password CLI
#
RUN wget -P /tmp/ https://downloads.1password.com/linux/debian/$(dpkg --print-architecture)/stable/1password-cli-$(dpkg --print-architecture)-latest.deb
RUN dpkg -i /tmp/1password-cli-$(dpkg --print-architecture)-latest.deb
RUN op --version

In this example, the 1Password CLI is downloaded and installed within the Docker container, allowing for retrieval and management of secrets using the command line.

Handling TLS Certificates

For secure communication, GitLab CE utilizes TLS certificates. The following section in the Dockerfile manages root certificates:

##
# Install root certificate
#
RUN mkdir -p /usr/share/ca-certificates/gitlab
ADD ./qa/tls_certificates/authority/ca.crt /usr/share/ca-certificates/gitlab/
RUN echo 'gitlab/ca.crt' >> /etc/ca-certificates.conf
RUN chmod -R 644 /usr/share/ca-certificates/gitlab && update-ca-certificates

Here, the ca.crt file is added to the designated directory, and the certificate is registered with the system to ensure it’s trusted during secure communications.

Environment Variables for Configuration

Sensitive information such as tokens, passwords, and other secrets are often handled via environment variables. In the Dockerfile, environment variables are set to configure the application’s behavior:

ENV DEBIAN_FRONTEND="noninteractive"
ENV BUNDLE_APP_CONFIG=/home/gitlab/.bundle

These variables are crucial for controlling the application’s configuration while avoiding hardcoded secrets in the source code, thus maintaining secrecy.

Best Practices for Secret Management

When managing secrets in production settings, adhering to best security practices is essential. Here are some recommended strategies followed in GitLab CE:

1. Use Environment Variables: Always prefer environment variables over hardcoding secrets in application code.

2. Integrate Secure Storage Solutions: Utilize tools like 1Password, AWS Secrets Manager, or HashiCorp Vault to store and retrieve secrets programmatically.

3. Limit Access: Ensure that only necessary services have access to the secrets they require. Implement the principle of least privilege.

4. Regular Rotation: Periodically update and rotate the secrets used. This reduces the potential impact of a compromised secret.

5. Monitor and Audit: Monitoring access to secrets and regularly auditing their use can help detect and prevent unauthorized access.

Conclusion

Managing secrets efficiently in production systems is vital for the security posture of any application, including GitLab CE. By employing tools like 1Password CLI, utilizing environment variables, and following security best practices, the project ensures sensitive information is protected while allowing for robust functionality.

Refer to the official GitLab CE repository for more information on Docker configurations and secret management practices as they evolve.