Open Stack

Jeremy Stanley wrote:
> On 2020-04-09 16:53:09 -0700 (-0700), James E. Blair wrote:
> [...]
>> * Create a job in openstack/project-config which inherits from it and
>>    supplies the secret for the ssh key which grants access to the
>>    openstack org so that no openstack project has to deal with that
>>    individually.
> 
> Something like the openstack-mirror-on-github job added by
> https://review.opendev.org/718479 but adding...
> 
>>    This secret would specify "^openstack/.*" as the project regex
>>    mentioned above to restrict it to official openstack projects.

Also adding nodeless operation and moving it to opendev/base-jobs.

> Because as you pointed out in IRC, this job can actually be added to
> any project in-repo right now and since it ignored the namespace
> part of the repo name but hard-codes the destination to the
> openstack org, it allows a potential x/nova repo to fight with
> openstack/nova over replication to the same target and all the
> possible security implications thereof.
> 
> Reverted Thierry's PoC for the moment with
> https://review.opendev.org/718839 but we should repropose following
> the plan you've outlined.
> 
>> * OpenStack projects would simply add that job to their post pipelines
>>    (either in-repo or in project-config).
> [...]
> 
> In project-config I guess, because we'll want to also replicate on
> tag events and implicit branch matching for branched projects will
> prevent that from working if added in-repo.
> 
>> I think we should set that up (and confirm it works) before we do any
>> mass replication job changes.
> 
> I absolutely agree. The idea was to test carefully before adding
> this to any non-test repos anyway.

That all sounds good to me. Regarding implementation, could someone who 
knows what they are doing create that nodeless secret-driven-regexped 
git-mirroring job in opendev/base-jobs? I'll be happy to take it from 
there :)

-- 
Thierry Carrez (ttx)