semi-proposal: Is there a better way users could provide SSH/HTTPS/Git configuration?

Created by: slimsag

Note: Once I feel a bit more confident about this or have more concrete thoughts, I will flesh out a real proposal on this following our new proposal process. Until then, this exists as a brain dump merely for gathering some small feedback and to remind myself of what I am thinking of exactly.

Sourcegraph occasionally requires SSH/HTTPS/Git configuration. See:

• https://docs.sourcegraph.com/admin/repo/auth#repositories-that-need-http-s-or-ssh-authentication
• https://github.com/sourcegraph/deploy-sourcegraph-docker#configuring-ssh-cloning
• https://github.com/sourcegraph/deploy-sourcegraph/blob/master/docs/configure.md#configure-repository-cloning-via-ssh

Problems with this current setup include:

1. We do not provide instructions to test the configuration in all docs (currently, only deploy-sourcegraph-docker does). The turnaround time between applying a change, testing that repository cloning works, etc. is painful and slow.
2. It is easy to mistake docs.sourcegraph.com as applying to Cluster setups, when in reality it only partially does.
3. It is easy to mess up the permissions of the SSH directory. For example, if your ssh directory is owned by root but Sourcegraph tries to clone as the containers sourcegraph user.
4. In cluster deployments, you must configure SSH on every gitserver instance uniformly. This is less of a problem in Kubernetes, but more of a problem in non-Kubernetes deployments.
5. In cluster deployments, you must store your secret SSH credentials elsewhere and be careful to not send PRs to us that contain them. We have to warn users about this, currently.
6. deploy-sourcegraph currently doesn't explain how to configure HTTPS authentication, but we do explain this for Server users. Do we need to for cluster users, too? https://docs.sourcegraph.com/admin/repo/auth#http-s-authentication-via-netrc

All of these issues (many of which could be addressed individually or through more documentation) makes me wonder: Is there a better way that we could have users provide SSH/HTTPS/Git configuration? Would it be valuable to invest time in doing so?

One possible proposal would be:

1. "To configure cloning of repositories, use the following: https://sourcegraph.example.com/site-admin/configure-cloning"
2. When you visit that page, an in-browser page / form allows you to specify:
   • ~/.ssh/id_rsa
   • ~/.ssh/id_rsa.pem
   • ~/.ssh/known_hosts
   • ~/.ssh/config
   • ~/.netrc
   • ~/.gitconfig
   • Additionally, it has an area where you can type in a git clone <url> and test cloning works.
3. Once you are finished, hit save and Sourcegraph will persist your changes to the database (site config) the same way it does with other secrets. (The changes are automatically propagated to all gitservers, you do not need to restart anything, do not need to mount any files, etc.)

Thoughts?