Page MenuHomePhabricator

Security patch workflow for MediaWiki on k8s
Open, MediumPublic

Description

  • Pipeline creates pre-production image
  • Apply security patches onto production container image
  • If patch application fails then process fails and notifies relevant parties
  • Pushes resulting production container image into private registry from which we can deploy it

Dependency on SRE:

  • Private registry

Can we deploy this to staging somewhere for smoke-tests and mwdebug testing?

Event Timeline

dancy triaged this task as Medium priority.
dancy added a subscriber: dduvall.

Change 674132 had a related patch set uploaded (by Ahmon Dancy; owner: Ahmon Dancy):
[operations/mediawiki-config@master] Include patches in restricted image

https://gerrit.wikimedia.org/r/674132

Change 674132 merged by jenkins-bot:
[operations/mediawiki-config@master] Include patches in restricted image

https://gerrit.wikimedia.org/r/674132

Mentioned in SAL (#wikimedia-operations) [2021-03-25T18:09:13Z] <marxarelli> scap sync-file .pipeline Config: [[gerrit:674132|Include patches in restricted image (T271274)]]

Pushing to Q4 as the one piece of this task left undone is "notifies relevant parties"; i.e., we don't have notification for security folks (or security patch authors) when patches don't apply.

Change 679008 had a related patch set uploaded (by Ahmon Dancy; author: Ahmon Dancy):

[operations/mediawiki-config@master] pipeline: Fix how vendor patches are applied

https://gerrit.wikimedia.org/r/679008

Change 679008 merged by jenkins-bot:

[operations/mediawiki-config@master] pipeline: Fix how vendor patches are applied

https://gerrit.wikimedia.org/r/679008