Page MenuHomePhabricator
Create Task
Maniphest T368834

Automatically manage repos/stewards group in Gitlab
Closed, ResolvedPublic
Actions

Description

Wikimedia Stewards have repos/stewards group in GitLab. Let's manage it automatically from the Stewards-Onboarding-Tool, to ensure all stewards have access to it.

Details

Other Assignee
Urbanecm
SubjectRepoBranchLines +/-
stewards-onboarder: Add gitlab API to configoperations/puppetproduction+18 -13
Customize query in gerrit

Event Timeline

Urbanecm created this task.Jun 29 2024, 5:56 PM
Restricted Application added a project: User-Urbanecm. · View Herald TranscriptJun 29 2024, 5:56 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Jun 29 2024, 6:03 PM

Change #1050731 had a related patch set uploaded (by Urbanecm; author: Urbanecm):

[operations/puppet@production] stewards-onboarder: Add gitlab API to config

https://gerrit.wikimedia.org/r/1050731

gerritbot added a project: Patch-For-Review.Jun 29 2024, 6:03 PM
Urbanecm added a subscriber: Dzahn.Jun 29 2024, 6:06 PM

@Dzahn Can you help me with the secrets management here, please? I put the token at stewards1001:/home/urbanecm/gitlab_settings.yaml.

Dzahn added a comment.Jun 29 2024, 6:43 PM

I'll do that on Monday. No problem. Also see comments on the gerrit patch.

Dzahn added a project: collaboration-services.Jun 29 2024, 6:44 PM
Dzahn added a comment.Jun 29 2024, 6:57 PM

I added the token in the private hieradata under role/common/stewards with the key profile::stewards::gitlab_api_token.

This means you can now do a:

String $gitlab_api_token = lookup('profile::stewards::gitlab_api_token,... in profile::stewards next to the existing lookups from public hieradata and have the secret value in the variable.

If you have to get it into the yaml written on disk you will then have to turn it from a file to a template (.erb) where we create the steward-onboarder.yaml and then you can use class variables in there.

Urbanecm added a comment.Jun 29 2024, 7:23 PM

@Dzahn Thank you! I tried following your instructions in https://gerrit.wikimedia.org/r/c/operations/puppet/+/1050731, looks like it works. Review appreciated (but definitely can wait for Monday :)).

LSobanski reassigned this task from Urbanecm to Dzahn.Jul 1 2024, 3:43 PM
LSobanski triaged this task as Medium priority.
LSobanski updated Other Assignee, added: Urbanecm.
LSobanski moved this task from Incoming to Work in Progress on the collaboration-services board.
gerritbot added a comment.Jul 1 2024, 5:40 PM

Change #1050731 merged by Dzahn:

[operations/puppet@production] stewards-onboarder: Add gitlab API to config

https://gerrit.wikimedia.org/r/1050731

Dzahn added a comment.Jul 1 2024, 5:54 PM

puppet wrote /etc/steward-onboarder/steward-onboarder.yaml on stewards1001 just fine

Urbanecm closed this task as Resolved.Jul 1 2024, 6:00 PM
[urbanecm@stewards1001 /srv/repos/onboarding-system (main|u=)]$ python3 onboarder.py update
== Updating gitlab_group
INFO:root:Skipping urbanecm, their access level is not managed.
INFO:root:Removing urbanecmtest from repos/stewards, no longer authorised
== Updating ldap_group
== Updating mailman_list
[urbanecm@stewards1001 /srv/repos/onboarding-system (main|u=)]$

and reading it works as well!

Closing :).

Maintenance_bot removed a project: Patch-For-Review.Jul 1 2024, 6:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits