[08:23:59] 10GitLab (Auth & Access), 10CAS-SSO, 10Infrastructure-Foundations, 10SRE, and 4 others: migrate gitlab away from the CAS protocol - https://phabricator.wikimedia.org/T320390 (10Jelto) Last Friday we've done some troubleshooting and tested a lot of different configurations, thanks @SLyngshede-WMF again! In... [11:05:31] 10GitLab: ignoring extra bitmap file warning when fetching from gitlab - https://phabricator.wikimedia.org/T341712 (10hashar) > Are we running a version in which the bug is solved? There is a comment from May 2020 (which is from before we have setup Gitlab) which seems to indicate [[ https://gitlab.com/gitlab-... [11:36:51] jelto: i was just looking at the gitlab issue and im seeing strange issues [11:37:21] but tl;dr with the current confdig im now getting the following [11:37:22] " Your account is pending approval from your GitLab administrator and hence blocked. Please contact your GitLab administrator if you think this is an error. " [11:37:40] before the last change though i got an error which said "your email is allready taken" [11:37:53] can yuo take a look at the logs and see what we have [11:38:21] i.e. what email address does my account have [11:38:50] * jbond thought that wikimedia.org emails where excempt from auth so gussing i got a temp one? [11:40:21] jbond: this is "expected", because we had some spam issues and new accounts are locked. [11:40:21] As mentioned in T320390#9018611 there is still some config active from troubleshooting which uses a different, temporary email (you have temp-email-for-oauth-jbond@gitlab.localhost at the moment). [11:40:21] We enabled puppet again on gitlab2002 and idp-test1002 but I'm not sure where this temp-email comes from. [11:40:22] T320390: migrate gitlab away from the CAS protocol - https://phabricator.wikimedia.org/T320390 [11:41:05] temp email is almost definetly comming from gitlab. [11:41:20] did yuo approve the account (dont if you havn't) [11:41:37] no I rejected the account [11:41:50] can yuo delete my entreis [11:42:00] i just changed something and im now getti9ng a different error [11:42:29] What should be deleted? I deleted your new account jbond1 with the temp email [11:42:48] ahh cool are there any other accounts for me? [11:42:54] if so can you delete them all [11:43:17] only your normal account with wikimedia mail [11:43:30] yes please delete that as well [11:43:36] (thats promesing) [11:44:04] deleted (we noticed Friday that it takes one or two minutes untils that's done) [11:44:15] ok cool ill wait a sec [11:45:53] jelto: can yuu check my account now? [11:46:32] you have the wikimedia mail again, should I approve? [11:46:37] yes :D [11:46:48] approved [11:47:37] ok im in im just going to try one more thing but i think we have a route forward [11:48:08] sounds good! But I still don't fully understand the temp-email thing [11:48:46] i thin k thats a config in the case siode which changes how we send the em,ail addresses which i guess means that gitlab cant find the email [11:49:00] at which p;oint git addes some temp addresses [11:49:12] removinfg that config allows gitlab to find the email in the correct place [11:49:27] okay thanks for the explanation :) [11:49:34] i have a meeting in 10 mins but ill sendf an update to the task aftetr that [11:50:15] great thanks a lot, ping me any time if you need any deletion/approvals or something else [11:50:18] ok can you delete my account again just want to try one more thing [11:50:36] deleted [11:50:42] great thanks [11:55:45] jelto: can you confirm the newest account is also with jbond@w.o and then delete it [11:56:15] yep I can see a new account with jbond@wm.o. I'll delete the account [11:56:28] great thanks, last test then i have all the pices :) [12:36:19] jelto: ok whats my accxount like like now [12:37:00] jbond: jbond@wm.o, looking normal [12:37:07] should I approve/delete? [12:37:13] yes please [12:37:27] ok ill send an uipdate to the phab ticket but i thin k we have a way forward now [12:37:43] approve or delete? [12:37:46] thank :)! [12:43:25] jelto: you can approve that one [12:43:52] jelto: can yuo dump the record for that account and my account on production to the task [12:44:15] there is some subtile difference between them which prevented my from signing up [12:44:45] so we will potentially need to do a manual DB update when we migrate proiduction to OIDC (again ill add omre detail to the task) [12:52:41] jbond: approved. I can get the information of both users on prod and replica and paste it to the task [12:53:09] yes that would be great thanks, obvioiulsy remove anything sensetive (me email is not sensetive) [12:57:39] 10GitLab (Auth & Access), 10CAS-SSO, 10Infrastructure-Foundations, 10SRE, and 4 others: migrate gitlab away from the CAS protocol - https://phabricator.wikimedia.org/T320390 (10Jelto) As requested, @jbond your two users on the replica and production dumped via API (`curl "https://gitlab-replica.wikimedia.o... [13:10:24] 10GitLab (Auth & Access), 10CAS-SSO, 10Infrastructure-Foundations, 10SRE, and 4 others: migrate gitlab away from the CAS protocol - https://phabricator.wikimedia.org/T320390 (10jbond) I did some more testing today and can confirm that the required config is `cas.authn.oidc.id-token.include-id-token-claims=... [13:25:02] jbond: do you think it's enough to delete the "authentication identity" in GitLab for every user? https://docs.gitlab.com/ee/api/users.html#delete-authentication-identity-from-user [13:31:50] 10GitLab (Auth & Access), 10CAS-SSO, 10Infrastructure-Foundations, 10SRE, and 4 others: migrate gitlab away from the CAS protocol - https://phabricator.wikimedia.org/T320390 (10jbond) > from our side we will need to check if cas.authn.oidc.id-token.include-id-token-claims=true is ok to enable globally or i... [13:32:10] jelto: can definetly test it [13:33:16] jelto: there may also be some setting that allows multiple identies [13:33:37] from tyhe example in the link the user has [13:33:38] "identities": [ [13:33:38] {"provider": "github", "extern_uid": "2435223452345"}, [13:33:38] {"provider": "bitbucket", "extern_uid": "john_smith"}, [13:33:38] {"provider": "google_oauth2", "extern_uid": "8776128412476123468721346"} [13:33:43] ], [13:33:48] I'll do some tests and research [13:34:19] ack i also added a not on the task foir something elses to test but that will require us updating the cas config as well [13:36:09] omniauth_auto_link_user = ['cas3', 'openid_connect'] might be worth looking at [13:36:35] fyi i find this usefull for discovering gitlab config https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template [13:37:17] 10GitLab (Project Migration), 10collaboration-services: Migrate SRE repositories to GitLab - https://phabricator.wikimedia.org/T341468 (10LSobanski) [13:42:10] 10GitLab (Project Migration), 10collaboration-services: Migrate SRE repositories to GitLab - https://phabricator.wikimedia.org/T341468 (10LSobanski) >>! In T341468#9009202, @jbond wrote: >> operations/debs > This is also a folder with many repos below it Thanks for pointing this out, I created {T341991} [13:48:49] 10GitLab (Project Migration), 10collaboration-services: Migrate SRE repositories to GitLab - https://phabricator.wikimedia.org/T341468 (10BTullis) Did you mean to exclude the following? * `operations/dns` * `operations/docker-images` and its children * `operations/dumps` and its children [13:54:53] 10GitLab (Auth & Access), 10CAS-SSO, 10Infrastructure-Foundations, 10SRE, and 4 others: migrate gitlab away from the CAS protocol - https://phabricator.wikimedia.org/T320390 (10Jelto) Thanks for troubleshooting this more! I can confirm existing users have `cas3` in the `identities` section. This leads to a... [13:55:29] jbond: just deleting the identities with cas3 does not work, same error. Do you want me to configure send_scope_to_token_endpoint=true on gitlab2002? [13:57:28] jelto: im about to go into a meeting but can check after thats finished in about an hour [13:57:43] fine by me for you to update it now though or i can ping when im finished [13:58:09] I'll disable puppet and update the flag to true on gitlab2002 (gitlab-replica) [13:58:32] cheers ill let you know once im done [14:02:14] gitlab reconfigured. Feel free to test any time after your meeting. We can also test omniauth_auto_link_user setting after that [14:17:41] 10GitLab (Project Migration), 10collaboration-services: Migrate SRE repositories to GitLab - operations/debs - https://phabricator.wikimedia.org/T341991 (10Aklapper) [14:39:41] 10GitLab (Infrastructure), 10collaboration-services, 10Patch-For-Review: GitLabCIPipelineErrors (tweak thresholds of new alert) - https://phabricator.wikimedia.org/T341927 (10Jelto) @LSobanski thanks for fixing the alert description! This is a new alert and we have to find the correct thresholds and include... [15:13:27] 10GitLab (Project Migration), 10collaboration-services: Migrate SRE repositories to GitLab - operations/debs - https://phabricator.wikimedia.org/T341991 (10LSobanski) p:05Triage→03Medium [15:21:07] 10GitLab (Infrastructure), 10collaboration-services: Let's Encrypt certificate expiration notice for domain gitlab.devtools.wmcloud.org - https://phabricator.wikimedia.org/T335161 (10LSobanski) a:05Jelto→03None [16:29:40] 10GitLab (Project Migration), 10API Platform, 10Anti-Harassment, 10Content-Transform-Team, and 19 others: Migrate PipelineLib repos to GitLab - https://phabricator.wikimedia.org/T332953 (10TBurmeister) [18:29:55] hi jelto if oyu are still about can you delete my account again. if not can wait till tomorrow [20:28:36] 10GitLab (CI & Job Runners), 10Patch-For-Review, 10Release-Engineering-Team (They Live 🕶️🧟): buildkitd: Require use of the blubber frontend when running on trusted runners. - https://phabricator.wikimedia.org/T329220 (10CodeReviewBot) dancy merged https://gitlab.wikimedia.org/repos/releng/buildkit/-/merge_re... [20:42:16] 10GitLab (CI & Job Runners), 10Patch-For-Review, 10Release-Engineering-Team (They Live 🕶️🧟): buildkitd: Require use of the blubber frontend when running on trusted runners. - https://phabricator.wikimedia.org/T329220 (10CodeReviewBot) dancy opened https://gitlab.wikimedia.org/repos/releng/gitlab-cloud-runner... [20:42:32] 10GitLab (CI & Job Runners), 10Patch-For-Review, 10Release-Engineering-Team (They Live 🕶️🧟): buildkitd: Require use of the blubber frontend when running on trusted runners. - https://phabricator.wikimedia.org/T329220 (10CodeReviewBot) dancy merged https://gitlab.wikimedia.org/repos/releng/gitlab-cloud-runner...