Hey folks,
In case you did not see the update from Tyler already[0], both Gerrit
and GitLab will stay around. The TL;dr is that there's a few
repositories that must stay in Gerrit (from our perspective, most
notably puppet.git), but for the rest of our repositories we're free
to choose which code host we want to use. Here's a quick proposal what
to do:
Our Toolforge related repositories are mostly on GitLab, and they're
making heavy use of GitLab's CI features. I think keeping those there
is the best option for now, and we should move Striker and
labs/toollabs.git there for consistency.
The wmcs-cookbooks repo should stay in Gerrit. That repository is
primarily used by SREs in conjunction with the Puppet repository which
is staying in Gerrit. Similarly I think we should move the new Cloud
VPS tofu-infra repository to Gerrit, as that's also used for SRE
workflows and the ability to merge individual patches in a stack is
useful there similar to how it is on the Puppet repository.
For metricsinfra, we should either migrate the tofu-provisioning
repository from GitLab to Gerrit (which is my preference), or migrate
the prometheus-* repos from Gerrit to GitLab to keep everything
related to that project in one place.
Finally, I think we should move the few repositories we have
canonically on GitHub to GitLab.
Thoughts? I'm happy to draft a formal decision request for my
proposals, although I'm hoping this is simple and uncontroversial
enough to not require one.
[0]: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/…
Taavi
--
Taavi Väänänen (he/him)
Site Reliability Engineer, Cloud Services
Wikimedia Foundation
Hi there,
tomorrow 2024-06-26 @ 08:30Z we will start enforcing new Kubernetes security
rules in Toolforge [0].
We have taken measures to eliminate any user impact, but this being a
potentially sensitive change, I wanted to send a heads up email.
In a nut-shell, pod-related kubernetes resources, like Deployment or CronJob
need to have a new set of security-related attributes correctly specified.
This is because we are introducing Kyverno policies as a replacement of the
deprecated PodSecurityPolicies (PSP) [1].
The new Kyverno policies have been deployed already, but are in 'Audit' mode.
What we will be doing tomorrow is setting them to 'Enforce', which is the final
step in this migration, before we can finally drop PSP [2].
Please, report [3] any disruption that you may see.
regards.
[0] https://phabricator.wikimedia.org/T368141
[1] https://phabricator.wikimedia.org/T279110
[2] https://phabricator.wikimedia.org/T364297
[3] https://wikitech.wikimedia.org/wiki/Help:Cloud_Services_communication