I would like to deprecate the fixed_settings.yaml (in puppet) and prefer just making customizations in the phab config gui with just a few security-critical settings to remain locked and managed via a plain json config file in puppet.
There are several reasons for this:
- The puppet code to compile a suitable phabricator config json (from a static yaml in puppet) is kind of a dirty hack implemented in ruby land (I believe via a puppet compiler function called ordered_json). Background: Internally, ruby hashes are unordered, while php stores hashes (aka associative arrays) in an order-preserving way. Further, phabricator cares about the order of keys in the config. In fact the order really matters a lot.
- There is already a nice GUI for editing phabricator's config that has several good features which we don't get when editing config via puppet:
- The GUI does a lot of sanity checking on your new config values before applying them, a bad config change done by puppet can bring phabricator offline and it requires a time consuming git revert + puppet agent to bring things back to a working state.
- The GUI has an audit trail for every edit. Of course, git/gerrit has this as well, but it mitigates some of the advantage that would otherwise be conferred by using gerrit & puppet.
- Edits done in the GUI already override anything done in puppet so changes in puppet are sometimes ineffectual (see T228757: Rename Phabricator's "Normal" Priority field value to "Medium")
- Phabricator already locks certain config settings so that they cannot be edited via the GUI, so security-critical settings must be managed by json files on disk (though there is a cli which does the same sanity checks as the phab gui). Nonetheless, we should at least eliminate the translation from yaml to json because it's slightly error-prone and provides very little benefit in terms of ergonomics (and it's a negative in terms of maintainability)
I have more thoughts on this but I'm supposed to be on vacation so I'll fill in more detail later.