[08:19:10] 10serviceops, 10MW-on-K8s, 10SRE, 10Patch-For-Review, and 2 others: The restricted/mediawiki-webserver image should include skins and resources - https://phabricator.wikimedia.org/T285232 (10Joe) In the above patch, I implemented the following approach: - We will rewrite `static/current` to go to `/w/stat... [11:19:27] 10serviceops, 10Scap, 10Patch-For-Review, 10Release-Engineering-Team (Doing): scap's canary check gives confusing logstash link - https://phabricator.wikimedia.org/T291870 (10hashar) @Krinkle @Joe may you follow up regarding tagging MediaWiki log errors from canaries so we can filter them out in Kibana? I... [11:23:55] jelto: hi! About gitlab CSP , have you got the config moved from ansible to puppet? I noticed the CSP patch is no more applied on gerrit-replica ;) [11:24:31] and I guess I can abandon the ansible patch I have made ( https://gerrit.wikimedia.org/r/c/operations/gitlab-ansible/+/725900/ ), maybe archive that repository and polish up the puppet one [11:29:17] hashar: the migration to puppet was successful, we can continue with 725012 and abandond 725900 [11:29:29] great ;) [11:31:23] jelto: and may I archive the operations/gitlab-ansible repo? As I understand it there is no more any use case for it [11:35:26] hashar: I think we can achive it soon. Maybe also check with brennen first if he still needs this repo for some test machine in wmcs? [11:38:09] jelto: will ask ;) [11:40:12] jelto: and to enable/disable the csp should add a bunch of puppet variables to the classes such as gitlab::csp_enabled and gitlab::csp_report_only ? [11:40:24] then I guess I can turn it on for the replica but off for the main instance [11:46:04] hashar: having flags for CSP is not strictly necessary but I would like this solution. It also helps to test different settings first on the replica. So yes I would add hiera data like profile::gitlab::csp_enabled and pass this down to the gitlab class. Quite similar to smtp_enabled. [11:51:51] +1 will work on that after lunch. thx! [12:24:00] jelto done :] [12:53:01] jelto: you can deploy it if it is fine to you (I don't have rights to do puppet-merge) [12:53:11] then security team can review the csp directives [13:07:02] hashar: I'll merge and deploy the change [13:09:22] good [13:18:55] hashar: I deployed the change to gitlab-replica and production gitlab. CSP reporting should be active now on the replica [13:25:52] jelto: that worked like a charm indeed. I passed it from some CSP analyzer and wrote down the result on the task https://phabricator.wikimedia.org/T285363#7417162 [13:26:07] will let security team vet whether those rules are 100% good [13:26:26] then I guess look at the csp reports and tune on those based. We might have to file in bug to upstream, we will see [13:26:28] thank you! [13:27:16] great thanks :)! [13:48:16] 10serviceops, 10SRE, 10wikidiff2, 10Community-Tech (CommTech-Sprint-11), 10Platform Team Workboards (Platform Engineering Reliability): Deploy wikidiff2 1.13.0 - https://phabricator.wikimedia.org/T285857 (10ldelench_wmf) [14:47:17] 10serviceops, 10SRE, 10MW-1.35-notes (1.35.0-wmf.34; 2020-05-26), 10Patch-For-Review, 10Platform Engineering (Icebox): Undeploy graphoid - https://phabricator.wikimedia.org/T242855 (10akosiaris) >>! In T242855#7415161, @Aklapper wrote: > Half a year later, is there anyone feeling kind of responsible to p... [16:08:43] 10serviceops: Productionise mc20[38-55] - https://phabricator.wikimedia.org/T293012 (10jijiki) [16:08:59] 10serviceops: Productionise mc20[38-55] - https://phabricator.wikimedia.org/T293012 (10jijiki) [17:00:23] 10serviceops, 10Anti-Harassment, 10IP Info, 10SRE, 10Patch-For-Review: Update MaxMind GeoIP2 license key and product IDs for application servers - https://phabricator.wikimedia.org/T288844 (10phuedx) >>! In T288844#7407062, @Dzahn wrote: > It would now be possible to test the IPInfo extension using that... [17:26:06] 10serviceops, 10Scap, 10Patch-For-Review, 10Release-Engineering-Team (Doing): scap's canary check gives confusing logstash link - https://phabricator.wikimedia.org/T291870 (10Krinkle) @hashar If I understand correctly, you're suggesting this because it would mean Scap's query does not need to know the cana...