Allow Scap to push to Gerrit without operator creds
Closed, ResolvedPublic5 Estimated Story Points
Actions

Assigned To

Authored By

	jnuche
	Apr 19 2022, 9:22 AM

Description

This task covers the long-term solution for T304557 laid out in T304557#7834670. From that comment:

Introduce a service user in Gerrit which is intended to be used to push wikiversions.json changes that are made during train deployments. Maybe we could reuse the account used by the train branch bot.

Generate a ssh key pair which is hold in Puppet/SRE repository holding secrets.

Load that key into the deployment server keyholder

Change scap to git push for review as the train branch bot user. It will need the Gerrit permission Forge Author Identity since the commit author is ourselves rather than the train bot. The git push command in scap/deploy_promote.py could use the pushInsteadOf git configuration trick:

gitcmd(
  '-c', 'url."ssh://<SHELL USERNAME>@gerrit.wikimedia.org:29418".pushInsteadOf=https://gerrit.wikimedia.org/r'
  push
)

Or alternatively when scap prep clones operations/mediawiki-config we could set the push url:

scap/plugins/prep.py

                          self._clone_or_update_repo(os.path.join(SOURCE_URL, "operations/mediawiki-config"),
                                                   self.config["operations_mediawiki_config_branch"],
                                                   self.config["stage_dir"],
                                                   logger,
                                                   )
+                         gitcmd("remote", "set-url", "--push", "origin", "ssh://gerrit.wikimedia.org/r/operations/mediawiki-config)

Which has the advantage that if one has to push from their terminal, the push url is correct. That is typically the case when doing a rollback since we do:

git revert HEAD
scap <whatever>
git push origin HEAD:refs/for/master

Agree on which user to use
Create ssh key for user if doesn't exist
Add key to production keyholder accessible by the deployers group
Ensure user can push other's patches

Details

	Subject	Repo	Branch	Lines +/-
	Support a different user for Gerrit ssh interactions	mediawiki/tools/scap	master	+169 -22
	scap prep: set ssh push url on all repositories	mediawiki/tools/scap	master	+44 -0

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved		dancy	T196515 Automate the Train
Resolved		None	T310395 Automated Tuesday Train via a timer
Resolved		hashar	T306425 Allow Scap to push to Gerrit without operator creds
Resolved	Request	akosiaris	T310620 Requesting SSH keypair for deployment server keyholder to push to Gerrit

Event Timeline

jnuche created this task.Apr 19 2022, 9:22 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 19 2022, 9:22 AM

thcipriani edited projects, added Release-Engineering-Team (Next); removed Release-Engineering-Team.Apr 20 2022, 4:32 PM

thcipriani moved this task from Next to Deployment Autopilot 🛩️ on the Release-Engineering-Team board.Jun 10 2022, 7:54 PM

thcipriani edited projects, added Release-Engineering-Team (Deployment Autopilot 🛩️); removed Release-Engineering-Team (Next).

dancy updated the task description. (Show Details)Jun 10 2022, 8:25 PM

This will be required to implement T310395, assuming it deploys to testwikis.

thcipriani updated the task description. (Show Details)Jun 13 2022, 5:06 PM

thcipriani set the point value for this task to 5.

thcipriani moved this task from Backlog to Ready on the Release-Engineering-Team (Deployment Autopilot 🛩️) board.

I think I heard @hashar express interest in this task. <nudge nudge>

Indeed, I am sure @jnuche and I can address this one :]

hashar updated the task description. (Show Details)Jun 14 2022, 9:05 AM

Yeah, @hashar and I will pair on this

Change 805373 had a related patch set uploaded (by Hashar; author: Hashar):

[mediawiki/tools/scap@master] scap prep: set ssh push url on all repositories

https://gerrit.wikimedia.org/r/805373

gerritbot added a project: Patch-For-Review.Jun 14 2022, 12:36 PM

hashar mentioned this in T310620: Requesting SSH keypair for deployment server keyholder to push to Gerrit.Jun 14 2022, 2:20 PM

The idea is to have scap to push to Gerrit with the ssh user set to trainbranchbot. That can be done by running git push with the environment variable GIT_SSH_COMMAND=ssh -l trainbranchbot.

For the implementation, I am thinking of adding a new scap configuration gerrit_push_user which when set will inject GIT_SSH_COMMAND and skip using the user SSH_AUTH_SOCK (and instead rely on the keyholder authentication socket which will have the key). The goal is that until that setting is set, nothing change which makes it easy to enable/rollback.

I have requested a new ssh key pair: T310620

hashar added a subtask: T310620: Requesting SSH keypair for deployment server keyholder to push to Gerrit.Jun 14 2022, 7:12 PM

Change 805462 had a related patch set uploaded (by Hashar; author: Hashar):

[mediawiki/tools/scap@master] Support a different user for Gerrit ssh interactions

https://gerrit.wikimedia.org/r/805462

Change 805373 merged by jenkins-bot:

[mediawiki/tools/scap@master] scap prep: set ssh push url on all repositories

https://gerrit.wikimedia.org/r/805373

akosiaris closed subtask T310620: Requesting SSH keypair for deployment server keyholder to push to Gerrit as Resolved.Jun 22 2022, 4:23 PM

Change 805462 merged by jenkins-bot:

[mediawiki/tools/scap@master] Support a different user for Gerrit ssh interactions

https://gerrit.wikimedia.org/r/805462