[ADR] Select a credential rotation solution for GitLab

[Racer159]

Is your feature request related to a problem? Please describe.

As Ashton I want to be able to rotate GitLab credentials safely so that I can meet IA requirements and build a more secure system.

Describe the solution you'd like

We should determine a way to automate the rotation of credentials for GitLab so that we can reduce the cognitive load in doing these rotations. This should include:

• K8s secrets
• CA certificates
• Admin account creds
• RDS / Elasticache and any hard creds for dependencies

These should be written in a simple ADR to capture why the final solution was chosen and a follow on implementation issue should be created.

Additional context

This is needed to meet IA requirements and we should do this in as automated a way as possible likely using Zarf, UDS CLI or Pepr.

[naveensrinivasan]

It's important to note that the approach will vary depending on whether you are using a SaaS or non-SaaS solution.

For example, SaaS solutions offer an option called "IAM Roles for Service Accounts (IRSA)," which can help reduce the attack vector without the need to manage tokens. These tokens are short-lived and obtained through STS.

Therefore, when creating an ADR, we should focus on a SaaS solution. Thoughts?

[zachariahmiller]

We are already using irsa (pod identity webhook) with RKE2 for the saas environment, but not for all things due to some issues with for example rds and how connection pooling works with irsa. Agree it will differ between saas and non-saae.

[Racer159]

blocked on https://github.com/defenseunicorns/uds-software-factory/issues/45