[12:07:32] 10GitLab (CI & Job Runners), 10Security-Team, 10serviceops, 10Patch-For-Review, and 2 others: Setup GitLab Runner in trusted environment - https://phabricator.wikimedia.org/T295481 (10Dzahn) I agree that option 1 sounds misleading and not great and option 5 sounds overly complex / brittle. Fully on the sa... [17:10:40] I made a page that shows all the fingerprints in one place: [17:10:41] https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/gitlab.wikimedia.org [17:10:46] and protected the page, only admins can edit [17:11:13] thing we have not talked about yet is that.. for the service IP we also have 2 different keys, one eqiad and one codfw [17:11:19] but what we want is to use the same in both [17:11:35] I suppose [17:16:35] 10GitLab (Infrastructure), 10serviceops, 10Release-Engineering-Team (Yak Shaving ๐Ÿƒ๐Ÿช’), 10Upstream: Self-reported GitLab SSH host key fingerprints donโ€™t appear to match actual host key fingerprints - https://phabricator.wikimedia.org/T296944 (10Dzahn) I made this new page that shows all fingerprints in a cen... [17:18:30] 10GitLab (Infrastructure), 10serviceops, 10Release-Engineering-Team (Yak Shaving ๐Ÿƒ๐Ÿช’), 10Upstream: Self-reported GitLab SSH host key fingerprints donโ€™t appear to match actual host key fingerprints - https://phabricator.wikimedia.org/T296944 (10Dzahn) {F34892980} [17:20:19] 10GitLab (Infrastructure), 10serviceops, 10Release-Engineering-Team (Yak Shaving ๐Ÿƒ๐Ÿช’), 10Upstream: Self-reported GitLab SSH host key fingerprints donโ€™t appear to match actual host key fingerprints - https://phabricator.wikimedia.org/T296944 (10Dzahn) [17:21:54] 10GitLab (Infrastructure), 10serviceops, 10Release-Engineering-Team (Yak Shaving ๐Ÿƒ๐Ÿช’), 10Upstream: Self-reported GitLab SSH host key fingerprints donโ€™t appear to match actual host key fingerprints - https://phabricator.wikimedia.org/T296944 (10Dzahn) The part we haven't talked about yet is that also for the... [19:17:35] if it has different sets of keys for the same hostnames that's going to trigger errors when it gets switched over, right? [19:18:40] added a bit of prose to https://wikitech.wikimedia.org/w/index.php?title=Help%3ASSH_Fingerprints%2Fgitlab.wikimedia.org&type=revision&diff=1938033&oldid=1938011 [19:20:35] legoktm[m]: yes, https://phabricator.wikimedia.org/T296944#7586043 :) [19:21:28] and thank you for adding that! That was supposed to be like an include at https://wikitech.wikimedia.org/wiki/GitLab#SSH_fingerprints [19:21:39] so that I could protect just the fingerprint page [19:21:53] but "doppelt haelt besser" in German [19:22:28] 10GitLab (Infrastructure), 10serviceops, 10Release-Engineering-Team (Yak Shaving ๐Ÿƒ๐Ÿช’), 10Upstream: Self-reported GitLab SSH host key fingerprints donโ€™t appear to match actual host key fingerprints - https://phabricator.wikimedia.org/T296944 (10Legoktm) f it has different sets of keys for the same hostnames... [19:22:33] gotcha :) [19:22:39] missing in en.wikt :) https://de.wiktionary.org/wiki/doppelt_h%C3%A4lt_besser [19:22:45] * legoktm[m] will fix up in a minute [19:23:05] it's ok either way :) [19:23:29] but do comment on the ticket about the "copy key around" part:) [19:24:53] https://translate.google.com/?sl=auto&tl=en&text=doppelt%20h%C3%A4lt%20besser%0A%0Adoppelt%20h%C3%A4lt%20besser%20(Deutsch)%0ARedewendung%0A%0ANebenformen%3A%0A%0A%20%20%20%20doppelt%20gemoppelt%20h%C3%A4lt%20besser%2C%20doppelt%20gen%C3%A4ht%20h%C3%A4lt%20besser%0A%0AWorttrennung%3A%0A%0A%20%20%20%20dop%C2%B7pelt%20h%C3%A4lt%20bes%C2%B7ser%0A%0AAussprache%3A%0A%0A%20%20%20%20IPA%3A%20%5B%E2%80%A [19:24:59] 6%5D%0A%20%20%20%20H%C3%B6rbeispiele%3A%20Lautsprecherbild%20doppelt%20h%C3%A4lt%20besser%20(Info)%0A%0ABedeutungen%3A%0A%0A%20%20%20%20%5B1%5D%20sich%20zwei%20Mal%20abzusichern%2C%20ist%20sicherer%2Fvorteilhafter%3B%20eine%20zweifache%20Absicherung%2FVersicherung%20ist%20sicherer%0A%0ASinnverwandte%20W%C3%B6rter%3A%0A%0A%20%20%20%20%5B1%5D%20als%20Verb%3A%20auf%20der%20sicheren%20Seite%20sein%2C [19:25:05] %20auf%20Nummer%20sicher%20gehen%0A%0ABeispiele%3A%0A%0A%20%20%20%20%5B1%5D%20Stimmt%2C%20ich%20h%C3%A4tte%20da%20nicht%20nochmal%20nachfragen%20m%C3%BCssen%2C%20ob%20das%20mit%20der%20Reservierung%20geklappt%20hat%2C%20aber%20du%20wei%C3%9Ft%20ja%3A%20doppelt%20h%C3%A4lt%20besser.&op=translate [19:25:10] haha, that's horrible, but ok :) [19:32:30] legoktm[m]: we also want upstream gitlab to add a config option to look for host keys in another path than /etc/ssh/ (/etc/ssh-gitlab :p). to actually fix T296944 so users see different keys in gitlab UI [19:32:31] T296944: Self-reported GitLab SSH host key fingerprints donโ€™t appear to match actual host key fingerprints - https://phabricator.wikimedia.org/T296944 [19:33:10] that would really close that ticket, but "copy key for service name over" is additional [19:37:12] 10GitLab (Infrastructure), 10serviceops, 10Release-Engineering-Team (Yak Shaving ๐Ÿƒ๐Ÿช’), 10Upstream: Self-reported GitLab SSH host key fingerprints donโ€™t appear to match actual host key fingerprints - https://phabricator.wikimedia.org/T296944 (10Dzahn) Yea, well.. unless you argue "if we switch over to anothe...