Since our git operations (over http) go cross-dc, we should secure them.
Sounds to me it should be a service provided by the infrastructure. Ie all of our crap should not have to care about encrypting. That ends up being way simpler since you can deploy wtf you want and have a guarantee by the underlying layer that encryption is achieved.
So we've got two options going forward, neither of which are terribly hard.
- We can generate some certs and slap them on the apache instance we use for git operations. Fairly trivial, just some config swaps.
- If we go with T116630: Remove apache dependency from scap3 deployment host, it needs to support TLS (and per discussion with @mark, probably only TLS)