Closed Bug 1789660 Opened 3 years ago Closed 3 years ago

Build stage environment for GitHub Event Router app

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: sven, Assigned: cknowles)

Details

It turned out that we still need to do some development work on the Event Router app requested in bug 1786897. To that end, we would like to introduce a stage environment for the app. The stage app needs to be separate from the production app to avoid unintended interactions between the apps, and it needs to be installed on a disjoint set of repositories. Since the prod app is installed on all repos in mozilla-sre-deploy, we need to use a different org for the stage app.

For these reasons, we would like to

  • Transfer the stage app to the mozilla-it org.
  • Install it on newly created private repositories test-event-router-1 and test-event-router-2.
  • Transfer the private github-event-router repository into the mozilla-it org.

The required permissions for the stage app are the same as for the prod app. Since the app only gets access to newly created empty test repositories, I don't think there can be any security concerns.

All three new private repositories (the two empty test repos and the transferred repo) should be owned by https://github.com/orgs/mozilla-it/teams/platform-services-sre. It would be nice if jasonthomas, jbuck and smarnach can be made app managers for the transferred stage app.

It looks like I can't ask for the transfer of a private repository into the mozilla-it org. I get the error message "You don’t have the permission to create private repositories on mozilla-it". I'm not sure how to proceed now.

For the private repos in this ticket, can you provide some information about the level of private data in there (per https://wiki.mozilla.org/Security/Data_Classification) and also something about the length of time they need to be private (I assume permanent, but have to ask) and a sentence about the use of them. (for the record keeping purposes.)

Where does the github-event-router repo currently exist? (Just midaired with your report - you could move the repo into mozilla-sre-deploy and then I can handle the final move into mozilla-it...) I just need to know where it's coming from.

Finally where is the stage app deployed? I don't see any app with stage in the name in either mozilla-it or mozilla-sre.

Once we have those figured out we can make headway here.

Flags: needinfo?(sven)

And I just got your request for the stage app transfer to mozilla-it I'll process that shortly. (and I'm cc'ing Austin Sargent, so secops is aware - this continues to fall under the existing agreements with secops afaict, but they'll need to know so they can ask questions later.)

Transfer of app completed - but it's asking for repos - I'm guessing it needs those test repos from comment 0 but would like confirmation.

Repos https://github.com/mozilla-it/test-event-router-1 and https://github.com/mozilla-it/test-event-router-2 created, platform-services-sre set as admins. App installed, with access to those two repos.

All three new private repositories are only private to keep the project numbers/ids of our GCP projects private, and for no other reason. Everything else in these repos can be public, but secops asked us to not make these project numbers public, though they aren't really secrets. Inside of Mozilla, we can share the information arbitrarily. This needs to be private indefinitely, as long as secops don't change the policy.

The github-event-router repo hosts the code for the GitHub app. The two test repos are intended for testing the event router. They won't contain anything useful, which is the whole point – we want to be able to test with repositories are otherwise meaningless.

I will request a transfer of the github-event-router repo to mozilla-sre-deploy – let's see if we can make it work that way. :)

Transfer successful: https://github.com/mozilla-sre-deploy/github-event-router

Flags: needinfo?(sven)

And I've transferred it to mozilla-it, and filled out the records.

https://github.com/mozilla-it/github-event-router

And for some reason bugzilla isn't letting me add a CC to the bug ... I'll work on making secops aware.

Flags: needinfo?(asargent)

Approved by SecOps/SecEng, looks good to me. Thanks for keeping us in the loop, we will be looking into formalizing a standard for this activity in time.

Flags: needinfo?(asargent) → needinfo?(cknowles)

Alright, given the secops thumbsup and lack of screaming - closing out.

Assignee: nobody → cknowles
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(cknowles)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.