[06:28:40] jbond: I deleted your account. Puppet is still disabled on the replica with the send_scope_to_token_endpoint=true setting enabled [08:24:57] jelto: cheersi have tested the last change made little difference feel free to enable and run puppet [08:26:28] thanks! ok, I'll re-enable puppet. Do you want to do any test with the omniauth_auto_link_user option? [08:37:02] 10GitLab (Infrastructure), 10collaboration-services: Let's Encrypt certificate expiration notice for domain gitlab.devtools.wmcloud.org - https://phabricator.wikimedia.org/T335161 (10Jelto) 05Open→03Resolved a:03Jelto I run the certbot-renew command without `-q` flag to get more output: ` Jul 18 07:58:2... [08:52:45] jelto: yes we could try adding both cas3 and openid_connect to see if it allows us to transition people more easly [08:55:02] ok, I'll configure that for testing manually on gitlab2002 with puppet disabled, one sec [08:56:05] jelto: ack will need to test with someone otheer then me though )as my prod account has allready been deleted) [08:58:05] yes, I'll ask users which are still on cas3. I added gitlab_rails['omniauth_auto_link_user'] = ["cas3", "openid_connect"] to the gitlab.rb config and restarted gitlab [08:59:06] sgtm [09:02:29] 10GitLab (Auth & Access), 10CAS-SSO, 10Infrastructure-Foundations, 10SRE, and 4 others: migrate gitlab away from the CAS protocol - https://phabricator.wikimedia.org/T320390 (10Jelto) >>! In T320390#9018611, @Jelto wrote: > ... > There are two settings which we may test, one is `send_scope_to_token_endpoin... [09:02:46] eoghan reported the same error message with auto link user [09:04:35] ack in that case, other then manully updating the db, im out of ideas [09:07:57] That's the next thing I'll try. Find the right table/command to update the entry and check if users can login after that without deleting the account first [09:26:25] eoghan: can you try again to login, I updated your db entrie from cas to openid_connect [09:26:34] Yep, one sec. [09:27:43] No, same error. I didn't do it in a private window/clear cookies, but I don't think that would have made a difference [09:28:21] hmmm, can you maybe try again in a private window if possible? [09:30:42] Yep, one sec. [09:31:09] Same [09:31:16] hm ok thanks :( [09:35:25] 10GitLab (Auth & Access), 10CAS-SSO, 10Infrastructure-Foundations, 10SRE, and 4 others: migrate gitlab away from the CAS protocol - https://phabricator.wikimedia.org/T320390 (10Jelto) I looked at the GitLab `gitlabhq_production` database and `identities` table. I connected to the psql database using: `sud... [09:55:32] hmm that is annoying [10:14:36] jelto: from the docs i think auto_link should work is it worth raising a bug https://docs.gitlab.com/ee/integration/omniauth.html#link-existing-users-to-omniauth-users [10:20:25] 10GitLab (Auth & Access), 10CAS-SSO, 10Infrastructure-Foundations, 10SRE, and 4 others: migrate gitlab away from the CAS protocol - https://phabricator.wikimedia.org/T320390 (10jbond) >>! In T320390#9022500, @Jelto wrote: >>>! In T320390#9018611, @Jelto wrote: >> ... >> There are two settings which we may... [12:53:04] 10GitLab (Auth & Access), 10CAS-SSO, 10Infrastructure-Foundations, 10SRE, and 4 others: migrate gitlab away from the CAS protocol - https://phabricator.wikimedia.org/T320390 (10Jelto) >>! In T320390#9022808, @jbond wrote: > > > The [[ https://docs.gitlab.com/ee/integration/omniauth.html#link-existing-use... [12:54:15] jbond: eoghan confirmed a successful login in the latest test. I'll try to wrap the config up in a puppet change and then we can test the login again with fresh production data (restoring data to the replica) [13:07:34] jelto that sounds promesing. fyi i have just logged in and everything seemed to work. so if you allready did the db restore that wouldd rule out the db manual update [13:10:56] db restore happens at 1400 utc, so in one hour. But I have to presist the changes to puppet as well. I'll ping you when the test setup is ready. [13:11:26] I'm on a train soon so I need a bit more time :) [13:14:54] ack sgtm [17:12:13] 10GitLab (Infrastructure), 10collaboration-services: Create alerting for GitLab CI failures - https://phabricator.wikimedia.org/T339370 (10Jelto) [17:12:18] 10GitLab (Infrastructure), 10collaboration-services, 10Patch-For-Review: GitLabCIPipelineErrors (tweak thresholds of new alert) - https://phabricator.wikimedia.org/T341927 (10Jelto) [17:22:34] 10GitLab (CI & Job Runners), 10collaboration-services, 10Patch-For-Review: Disable unprivileged userns on GitLab Runners - https://phabricator.wikimedia.org/T341334 (10Jelto) a:03Jelto [18:44:17] 10GitLab (CI & Job Runners), 10Patch-For-Review, 10Release-Engineering-Team (They Live 🕶️🧟): buildkitd: Require use of the blubber frontend when running on trusted runners. - https://phabricator.wikimedia.org/T329220 (10CodeReviewBot) dancy opened https://gitlab.wikimedia.org/repos/releng/gitlab-runner-test/... [19:28:39] 10GitLab (CI & Job Runners), 10Patch-For-Review, 10Release-Engineering-Team (They Live 🕶️🧟): buildkitd: Require use of the blubber frontend when running on trusted runners. - https://phabricator.wikimedia.org/T329220 (10CodeReviewBot) dancy closed https://gitlab.wikimedia.org/repos/releng/gitlab-runner-test/... [19:31:34] 10GitLab (CI & Job Runners), 10Release-Engineering-Team (They Live 🕶️🧟): buildkitd: Require use of the blubber frontend when running on trusted runners. - https://phabricator.wikimedia.org/T329220 (10dancy) buildkitd frontend enforcement has been deployed to trusted runners and tested. [20:41:11] 10GitLab (CI & Job Runners), 10Patch-For-Review, 10Release-Engineering-Team (They Live 🕶️🧟): buildkitd: Require use of the blubber frontend when running on trusted runners. - https://phabricator.wikimedia.org/T329220 (10CodeReviewBot) dancy opened https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_req... [21:23:13] 10Gitlab-Application-Security-Pipeline, 10Security-Team, 10Security: Application Security Pipeline Components for Gitlab - Phase 2 Work - https://phabricator.wikimedia.org/T342177 (10sbassett) [21:23:43] 10Gitlab-Application-Security-Pipeline, 10Security Risk Management, 10Security Team AppSec, 10Security-Team, and 2 others: Create Risk Rating Calculator for Security Reviews / Gitlab AppSec CI - https://phabricator.wikimedia.org/T293138 (10sbassett) [21:23:45] 10Gitlab-Application-Security-Pipeline, 10Security-Team, 10Security: Application Security Pipeline Components for Gitlab - Phase 2 Work - https://phabricator.wikimedia.org/T342177 (10sbassett) [21:23:47] 10GitLab (CI & Job Runners), 10Gitlab-Application-Security-Pipeline, 10Security Team AppSec, 10Security-Team, 10Security: Design and Build Application Security Pipeline Components for Gitlab - https://phabricator.wikimedia.org/T289290 (10sbassett) [21:24:05] 10Gitlab-Application-Security-Pipeline, 10Security-Team, 10Security: Application Security Pipeline Components for Gitlab - Phase 2 Work - https://phabricator.wikimedia.org/T342177 (10sbassett) [21:24:07] 10GitLab (CI & Job Runners), 10Gitlab-Application-Security-Pipeline, 10Security Team AppSec, 10Security-Team, and 2 others: Better support branches and add support for mw core to the phan-taint-check gitlab appsec template - https://phabricator.wikimedia.org/T305083 (10sbassett) [21:24:11] 10GitLab (CI & Job Runners), 10Gitlab-Application-Security-Pipeline, 10Security Team AppSec, 10Security-Team, 10Security: Design and Build Application Security Pipeline Components for Gitlab - https://phabricator.wikimedia.org/T289290 (10sbassett) [21:24:21] 10Gitlab-Application-Security-Pipeline, 10Security-Team, 10Security: Application Security Pipeline Components for Gitlab - Phase 2 Work - https://phabricator.wikimedia.org/T342177 (10sbassett) [21:24:24] 10GitLab (CI & Job Runners), 10Gitlab-Application-Security-Pipeline, 10Security Team AppSec, 10Security-Team, 10Security: Design and Build Application Security Pipeline Components for Gitlab - https://phabricator.wikimedia.org/T289290 (10sbassett) [21:24:35] 10Gitlab-Application-Security-Pipeline, 10Security-Team, 10Security: Application Security Pipeline Components for Gitlab - Phase 2 Work - https://phabricator.wikimedia.org/T342177 (10sbassett) [21:24:37] 10GitLab (CI & Job Runners), 10Gitlab-Application-Security-Pipeline, 10Security Team AppSec, 10Security-Team, and 2 others: Investigate container scanning options within the context of the Gitlab appsec pipeline - https://phabricator.wikimedia.org/T307523 (10sbassett) [21:24:41] 10GitLab (CI & Job Runners), 10Gitlab-Application-Security-Pipeline, 10Security Team AppSec, 10Security-Team, 10Security: Design and Build Application Security Pipeline Components for Gitlab - https://phabricator.wikimedia.org/T289290 (10sbassett) [21:24:47] 10Gitlab-Application-Security-Pipeline, 10Security-Team, 10Security: Application Security Pipeline Components for Gitlab - Phase 2 Work - https://phabricator.wikimedia.org/T342177 (10sbassett) [21:24:53] 10Gitlab-Application-Security-Pipeline, 10Security Team AppSec, 10Security-Team, 10Security: Implement an outdated modules check for golang - https://phabricator.wikimedia.org/T309997 (10sbassett) [21:24:59] 10GitLab (CI & Job Runners), 10Gitlab-Application-Security-Pipeline, 10Security Team AppSec, 10Security-Team, 10Security: Design and Build Application Security Pipeline Components for Gitlab - https://phabricator.wikimedia.org/T289290 (10sbassett) [21:25:25] 10GitLab (CI & Job Runners), 10Gitlab-Application-Security-Pipeline, 10Security Team AppSec, 10Security-Team, 10Security: Design and Build Application Security Pipeline Components for Gitlab - https://phabricator.wikimedia.org/T289290 (10sbassett) 05Open→03Resolved [21:25:49] 10Gitlab-Application-Security-Pipeline, 10Security Team AppSec, 10Security-Team, 10SecTeam-Processed, 10Security: Address issues within certain Gitlab CI security templates - https://phabricator.wikimedia.org/T338034 (10sbassett) [21:25:53] 10Gitlab-Application-Security-Pipeline, 10Security-Team, 10Security: Application Security Pipeline Components for Gitlab - Phase 2 Work - https://phabricator.wikimedia.org/T342177 (10sbassett) [21:27:45] 10Gitlab-Application-Security-Pipeline, 10Security: osv-scanner: add support for finding of nested lockfiles - https://phabricator.wikimedia.org/T342178 (10sbassett) [21:27:54] 10Gitlab-Application-Security-Pipeline, 10Security: osv-scanner: add support for finding of nested lockfiles - https://phabricator.wikimedia.org/T342178 (10sbassett) [21:27:57] 10Gitlab-Application-Security-Pipeline, 10Security-Team, 10Security: Application Security Pipeline Components for Gitlab - Phase 2 Work - https://phabricator.wikimedia.org/T342177 (10sbassett) [21:28:12] 10Gitlab-Application-Security-Pipeline, 10Security: osv-scanner: add support for finding nested lockfiles - https://phabricator.wikimedia.org/T342178 (10sbassett)