Identity Kingdoms and Tech Stack

We have refactored our tech stack into Identity Kingdoms (analogous to a realm) to provide separation of concerns between Business, Cloud, and Product (SaaS and Dedicated) unique needs, particularly with administrative control planes and least privilege configuration. This allows us to create automation and policies specific to each kingdom’s compliance requirements to enable the respective teams to operate efficiently within our top-level architecture and guardrails.

Business Kingdom

The GitLab Tech Stack has a comprehensive list of all of the SaaS applications and vendors that we use. The Business Technology and IT team under the Finance division provide IT governance and procurement management for our cross-department system owners.

The primary focus for the IT team is on federating most applications with Okta SSO, with a focus on applications used across the organization, and any applications under SOX compliance or related to Finance, Legal, People, and Sales functions.

Learn more on the tech stack handbook page and Okta handbook page.

Cloud Kingdom

We use Amazon Web Services (AWS) and Google Cloud Platform (GCP) at GitLab, with a few Microsoft-specific sandbox use case workloads running in Azure and a small GitLab SaaS Runner workload running in Oracle Cloud Infrastructure (OCI).

Each team is responsible for the workloads in their respective child AWS accounts, GCP projects, etc.

The Cloud Kingdom is managed by Security Identity with collaboration from counterparts in Infrastructure Security, Infrastructure, and SIRT. All access management is handled through standard baseline entitlements, access requests for production access, and Sandbox Cloud for non-production access and dev/test accounts or projects.

See the Identity Infrastructure handbook page to learn more.

Product SaaS Production (product-prd) Kingdom

The Product Tech stack refers to all of the infrastructure packages, services, and software that we use to any host GitLab.com SaaS, GitLab Dedicated, GitLab product source code and related services, and any customer-facing services related to our product.

The Infrastructure Production Architecture handbook page has more details on how services are managed. See the Services Catalog for a non-exhaustive list of included services. You can also see the infrastructure-as-code configuration in the config-mgmt repository.

Our counterparts in the Infrastructure department are responsible for the architecture, configuration, and management of the Product Stack.

Product Dedicated (product-ded) Kingdom

The Dedicated Product Kingdom is managed by the Environment Automation team.

You can learn more on the GitLab Dedicated Group handbook page.

Black Ops Kingdom

We use Access Level Wristband Colors to provide separate BLACK user accounts for admin access. All admin accounts are managed with GitOps in an upstream control plane with the gitlab.black domain name. In alignment with the ops.gitlab.net nomenclature for our product kingdom configuration management, the admin-level configuration is managed in the ops.gitlab.black self-managed GitLab instance that we refer to as Black Ops (homeage to stealth operations, not intended as a military reference).

The Black Ops kingdom is managed by the Identity Infrastructure team.

Identity SaaS Vendor Services

Okta Tenant
gitlab.okta.com

Google Workspace Org
gitlab.com

Google Workspace Org
gitlab.black

Google Workspace Org
Dedicated Dev

Google Workspace Org
Dedicated Prod

Google Workspace Org
gitlabservices.cloud

Google Workspace Org
gitlabsandbox.cloud

NordLayer VPN
VPN
Managed by IT Security

Identity Self Hosted Vendor Services

ops.gitlab.black
Self-Managed GitLab Instance
Top-Level Control Plane IaC

Teleport
Bastion Cluster

HashiCorp Vault
Secrets Manager

Identity GitOps State Management Repos

Self Service Custom App Infrastructure

HackyStack
Infrastructure Management
Sandbox and Services Orgs

Identity Platform
Access Control (accessctl)
RBAC Policy Management
App/Group/User Provisioning

Training Lab Manager
Product training Hands-on Labs
User and Group Provisioning

Last modified October 29, 2024: Fix broken links (455376ee)