Page MenuHomePhabricator
Create Task
Maniphest T299023

Deploy Flores MT secrets in Production for ContentTranslation
Closed, ResolvedPublic
Actions

Description

Language team requires deployment of new secrets key in private Puppet repository in Production for new machine translation service Flores (https://phabricator.wikimedia.org/T292412).

Requesting SRE clinic duty to deploy and let us know how to send key in a secure way.

Flores MT requires two secrets:

  1. key
  2. secret

Related changes

Also see

  • Request for Elia key deployment: T284887

Related Objects
Search...

Event Timeline

KartikMistry created this task.Jan 12 2022, 6:01 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 12 2022, 6:01 AM
KartikMistry added a parent task: T298584: Deploy Flores MT in Production.Jan 12 2022, 6:02 AM
KartikMistry mentioned this in T298584: Deploy Flores MT in Production.
Pginer-WMF moved this task from Quarter Backlog to Priority: CX Quality & Maintenance on the Language-Team (Language-2022-January-March) board.Jan 13 2022, 12:32 PM
Dzahn subscribed.Jan 13 2022, 8:52 PM

Hi @KartikMistry re: the question how to get the key to us: you can make a new file in your home dir on the deployment server, deploy1002, chmod 400 it, paste the key and let us know the file name. We'll take ti from there.

KartikMistry added a comment.EditedJan 14 2022, 6:36 AM
In T299023#7620868, @Dzahn wrote:

Hi @KartikMistry re: the question how to get the key to us: you can make a new file in your home dir on the deployment server, deploy1002, chmod 400 it, paste the key and let us know the file name. We'll take ti from there.

In the past, we used to send GPG encrypted file to the deployer of the key (Eg: https://phabricator.wikimedia.org/T284887#7154410). Is that OK? Let me know your GPG Public key on any keyserver and I should do that by email or on the location you mentioned. That's more secure than putting it as plain text, IMO.

Dzahn added a comment.Jan 14 2022, 8:08 PM

Of course using GPG is fine as well. I just did not suggest it because usually people consider it cumbersome and once we add the credentials in the private repo they will be unencrypted again, though on other hosts. Additionally it meant the ticket could still be resolved by anyone as I am not on clinic duty and keyservers often caused as trouble. We kind of stopped using them and upload keys into our own repo now.

here you go though:

https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xb049b180212e42a7afb4d43337e9b5c6f5f6a067

https://keyserver.ubuntu.com/pks/lookup?search=dzahn%40wikimedia.org&fingerprint=on&op=index

KartikMistry added a comment.Jan 15 2022, 5:34 AM
In T299023#7623070, @Dzahn wrote:

Of course using GPG is fine as well. I just did not suggest it because usually people consider it cumbersome and once we add the credentials in the private repo they will be unencrypted again, though on other hosts. Additionally it meant the ticket could still be resolved by anyone as I am not on clinic duty and keyservers often caused as trouble. We kind of stopped using them and upload keys into our own repo now.

here you go though:

https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xb049b180212e42a7afb4d43337e9b5c6f5f6a067

https://keyserver.ubuntu.com/pks/lookup?search=dzahn%40wikimedia.org&fingerprint=on&op=index

Got it. Let's follow the GPG signed method this time being. Keys are available at: deploy1002:/home/kartik/keys - it has two files, key and secret - both need to deploy as we did in T284887.

Dzahn changed the task status from Open to In Progress.Jan 17 2022, 11:40 PM
Dzahn claimed this task.
Dzahn added a comment.Jan 17 2022, 11:42 PM

@KartikMistry Ok, I found the files, could decrypt them and added them to the private repo.

they are available as Flores:key and Flores:secret under the same hierarchy that "Elia" is under.

mt:
  Flores:
    key:
    secret:
Dzahn closed this task as Resolved.Jan 17 2022, 11:46 PM
KartikMistry moved this task from Priority: CX Quality & Maintenance to Done on the Language-Team (Language-2022-January-March) board.Jan 18 2022, 3:46 AM
KartikMistry mentioned this in T309486: Deploy cxserver db password in private puppet repository.May 30 2022, 6:20 AM
KartikMistry mentioned this in T324534: cxserver: Update Flores/NLLB-200 MT secret in Production.Dec 6 2022, 7:38 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits