This task is to generate a new ssh key pair, grant access to some groups and arm it in the deployment server keyholder.
When running the MediaWiki train, we run scap deploy-promote which update the MediaWiki versions in wikiversions.json, craft a git commit and send it to Gerrit with a +2.
The push is currently done with our personal account which requires us to store sensible credentials either in:
- a .netrc file if we push over https
- a local personal ssh keypair in our home dir on the deployment server
T306425 is to push the git commit with a service user trainbranchbot which is already existing in Gerrit. We would use the keyholder to hold the credentials allowing us to push to Gerrit.
We will use the Gerrit/LDAP user trainbranchbot, I am guessing we can use the same name for the key (/etc/keyholder.d/trainbranchbot).
The key should be allowed to any groups used to deploy MediaWiki, I think we use the mwdeploy Keyholder agent for the MediaWiki deployment which is configured as:
profile::keyholder::server::agents: mwdeploy: trusted_groups: - wikidev - mwdeploy
We can essentially repeat that configuration:
profile::keyholder::server::agents: trainbranchbot: trusted_groups: - wikidev - mwdeploy
The key is exclusively going to be used to reach to Gerrit hence why we are not reusing the mwdeploy name which is a unix user.
Once the key has been generated and keyholder configured and armed, we will need the public key in order to add it to the Gerrit trainbranchbot user preferences.
Name of approving party (manager for WMF/WMDE staff): @thcipriani