Page MenuHomePhabricator
Create Task
Maniphest T301170

Change from ssh to pushing via https for "releng-secrets" git repo
Closed, ResolvedPublic
Actions

Description

As a breakout task from T296022

can the "releng-secrets.git" repository please be moved away from Phabricator?

I am not saying I know where exactly it SHOULD move, but I know we want to shutdown git-ssh.wikimedia.org and it's used by the releng team itself.

Both Gerrit and Gitlab don't allow private repos but releng has their own password store. Can it be merged into that? Or can we help setting up a private repo on some other server, like SRE does with pwstore?

Would be great if this can be relatively high prio since there is not that much time left to deprecate git-ssh and that in turn blocks moving Phabricator to new hardware and that's been stalled for a while.

Related Objects
Search...

Event Timeline

Dzahn created this task.Feb 7 2022, 7:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 7 2022, 7:29 PM
Dzahn added a subscriber: thcipriani.Feb 7 2022, 7:30 PM
Dzahn added a subscriber: brennen.
Dzahn added a comment.Feb 7 2022, 9:23 PM

If we could establish that pwstore already replaced releng-secrets then we might be able to simply delete it. (before we even get into newer plans to also replace pwstore)

thcipriani added a subscriber: hashar.Feb 7 2022, 9:26 PM

FWIW, that repo is a pwstore; we store gpg encrypted passwords there. And it's also private (belt and suspenders).

@hashar (as a low priority task) was exploring 1password T290337: Migrate from pws gpg to 1password, which is still an attractive route considering being pgp-keeper of releng is a role I don't relish :)

Does phabricator not have a way to authenticate over https for git repos? Only git-ssh?

Dzahn added a comment.EditedFeb 7 2022, 9:54 PM
In T301170#7691190, @thcipriani wrote:

Does phabricator not have a way to authenticate over https for git repos? Only git-ssh?

You can set a "VCS password" in Phabricator user settings in the 'Authentication' section. This should allow pushing via https.

If you could confirm that works for you guys then I would retreat my request to move it. Or it can be merged into another task that is about actually moving to something else.

LSobanski subscribed.Feb 8 2022, 4:57 PM
hashar closed this task as a duplicate of T290337: Migrate from pws gpg to 1password.Feb 14 2022, 4:08 AM
hashar added a comment.Feb 14 2022, 4:14 AM

We have settled on migrating out of pws/gpg/git to store our credentials in favor of 1password.com . The migration itself is not that complicated:

  • one has to move the credentials
  • get accounts created by Office IT for each person in the team
  • do some presentation / training for the solution
Dzahn reopened this task as Open.EditedFeb 14 2022, 3:50 PM

This ticket wasn't about migrating pws to another solution. It was about moving the repo releng-secrets out of phabricator or, alternatively, to stop using ssh and settle on https. Therefore it's not a duplicate of replacing pwstore.

Aklapper added a subtask: T290337: Migrate from pws gpg to 1password.Feb 14 2022, 7:17 PM
Dzahn added a parent task: T296022: Deprecate git-ssh service on phabricator.wikimedia.org.Feb 23 2022, 9:27 PM
Dzahn closed this task as Resolved.Feb 23 2022, 9:30 PM
Dzahn claimed this task.

So.. we have now tried the "push over https" to this repo and written docs for it: https://wikitech.wikimedia.org/wiki/Phabricator/pushing_over_https

Brennen could confirm pushing to this and we have disabled the ssh and http URIs for this repo, leaving only the https part.

This means it is now not blocking a shutdown of git-ssh.wikimedia.org anymore.

And then there is T290337 so that will replace it and until then, please push over https and I call this resolved, just because now it does not block me anymore.

Dzahn renamed this task from move "releng-secrets" git repo away from Phabricator to move "releng-secrets" git repo away from Phabricator (stop pushing over ssh to phab).Feb 23 2022, 9:31 PM
thcipriani removed a parent task: T296022: Deprecate git-ssh service on phabricator.wikimedia.org.Jul 19 2022, 10:33 PM
Aklapper added a comment.Nov 17 2023, 7:54 PM

What's described in the task title actually got resolved in T351321: Migrate R2115 Diffusion repo to 1password instead.

Aklapper renamed this task from move "releng-secrets" git repo away from Phabricator (stop pushing over ssh to phab) to Change from ssh to pushing via https for "releng-secrets" git repo.Nov 17 2023, 7:56 PM
Aklapper added a parent task: T296022: Deprecate git-ssh service on phabricator.wikimedia.org.
Aklapper removed a subtask: T290337: Migrate from pws gpg to 1password.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits