@mobrovac was wondering how one can SSH into a Nodepool instance for debugging purposes. Since they are not hooked with LDAP, the only way right now is to:
- head to labnodepool1001.eqiad.wmnet
- become-nodepool
- ssh jenkins@<instance ip>
In T128175#2066977, @JanZerebecki proposed to copy the keys from ldap into place at instance creation or image build time.
Note: In principle these nodes can be unprivileged. In practice when they run gate-and-submit (pre merge) or any post merge action they might have equivalent access to directly push to the repo, make and publish releases and other trusted build artifacts. So it would be nice to be able to differentiate these actions or their simulation when considering which keys get access.