Skip to content

Use HTTPS cloning for Geo

In #1255 (closed), we discuss the difficulties that using SSH for Geo repository sync causes us. We have some idea to improve that, but I wonder if we should bypass it completely and perform the repository sync over HTTPS instead of SSH.

Advantages:

  • No need for known_hosts management - use HTTPS CA infrastructure instead
  • No need to manage special Geo SSH keys - we'd replace them with an access token of some kind
  • Simpler network topology - no need for port 22 access between primary and secondary (probably a non-concern)

Downsides: ???

We already use HTTPS clone for CI, so we know it's usable at scale. Does SSH have some large advantage over HTTPS that I don't know about? In that case, would the runners benefit similarly from using SSH clone?

/cc @jarv @to1ne @dbalexandre @brodock @tmaczukin

Edited by Nick Thomas