The push-notifications service needs to authenticate to MediaWiki in order to make API requests to delete invalid push subscriptions. A user account (PushSubscriptionManager2) has been created on Beta Metawiki for use by the service. We need to update the push-notifications service configuration on deployment-push-notifications01 to provide the credentials for this user:
profile::docker::runner::service_defs: mediawiki-services-push-notifications: config: services: - name: push-notifications conf: [...] mw_subscription_manager_username: PushSubscriptionManager2 mw_subscription_manager_password: <password>
The trouble is that instance Hiera configurations are committed to a public Git repo. Is there a way to provide this password to the service configuration in Cloud VPS that doesn't expose it publicly?