Secret Revocation Worker Service

• Service Overview
• Alerts: https://alerts.gitlab.net/#/alerts?filter=%7Btype%3D%22secret-revc-worker%22%2C%20tier%3D%22sv%22%7D
• Label: gitlab-com/gl-infra/production~“Service::SecretRevcWorker”

Logging

• secret-revc-worker

Summary

Secret Revocation Worker (secret-revc-worker) is a Runway-based workload/deployment that is a part of the Secret Revocation Service.

It consumes messages published from the corresponding API workload to a Google PubSub topic via a subscription. When a message is received, it is parsed and the appropriate handler is used to send a revocation request to the partner API.

This service is currently used by “Automatic Response to Leaked Secrets” feature, and is maintained by the AST:Secret Detection team.

The source code repository for both services (API and Worker) is available here and the runway deployment configuration are located in:

• secret-revc-worker
• secret-revocation

Architecture

Check the documentation for a high-level architecture.

More details about the end-to-end workflow can also be found here.

Scalability

This service is deployed using Runway and its scaling is handled by Cloud Run and configured as part of Runway deployment (see documentation).

Availability

Both workloads are publicly accessible because each require some external interaction whether ingress or egress. They’re deployed in us-east1 region.

Monitoring/Alerting

The service is deployed using Runway and Runway packs built-in observability, particularly monitoring stack. Default Runway metrics for the service is available at Runway Service Metrics dashboard.

Links to further Documentation

• Documentation

Old Service (SecAuto)

• Source Code and Docker Images
• Configuration and Deployment
• Terraform GCP Resources

New Service (AST:Secret Detection / on Runway)

• Original Issue
• Transition SRS to AST:Secret Detection (and Runway):
  • Runway Transition
  • New Service Rollout
  • Old Service Cleanup