The WMCS instance gerrit-prod-1001.devtools.eqiad1.wikimedia.cloud in the devtools project is used by Release-Engineering-Team for preparing Gerrit upgrade or Puppet patches. One can see it as an integration platform before changes reach out to production.
What uses of Cloud Services do we not like?
Use of Wikimedia's LDAP server for authentication: Even with end-user notification that is required for any service that handles passwords or other sensitive data, use of any of the Wikimedia LDAP servers which contain Developer account information for password authentication from within the Cloud Services environment is strictly prohibited.
As a result the instance has been shutdown.
The root cause is the instance is provisioned by Puppet using role::gerrit. It thus applies the same configuration used by Production:
[auth] type = LDAP cookieSecure = true cookiePath = / registerUrl = https://wikitech.wikimedia.org/w/index.php?title=Special:CreateAccount&returnto=Gerrit/NewUser gitBasicAuth = true gitBasicAuthPolicy = HTTP_LDAP [ldap] server = ldaps://<%= @ldap_host %> ...
There might have been a local LDAP server at some point, but it is not anymore. Or at least the Gerrit instance does authenticate against WMCS.
We can either:
A) Spin up a local LDAP. @bd808 gave some example such as Striker testing environment using a Docker container. Our scap3-dev does have a LDAP container as well.
B) Use OpenId which is the default for Gerrit. But that means the test instance will be slightly different than the production one. Gerrit auth types: https://gerrit.wikimedia.org/r/Documentation/config-gerrit.html#auth.type
In either case, the All-Users.git Gerrit database will most probably need to be emptied / redone. I guess we can simply remove it and run gerrit init to create a fresh one.