We had the idea of running the maintain-dbusers logic from inside Toolforge (or potentially any other VM under our control).
Currently, this logic runs in labstore servers (those hosting NFS data).
This solves a weird situation in which now ToolsDB are VMs, but we still need to contact:
- labstores (for toolforge NFS data)
- and ToolsDB itself
However, that requires some specific considerations, like:
- how we manage secrets
- does this create additional load for NFS (i.e, r/w in network instead of locally).
- Trying to decide if our need today is part of a large need in the future, or if it is a side effect of only having moved some things out of the production realm