We need a service user with enough access to create/append/delete TXT records under the DNS zone traffic.wmflabs.org.
This service user will be used by acme-chief to fulfill dns-01 challenges from Let's Encrypt.
Following the naming schema used in the deployment-prep project traffic-dns-manager could be the name for this service account
For the WMCS team meeting, needs discussion: how to better handle this. I'm not aware of the current workflow for creating service account in openstack.
Anyone can create the desired Developer account via Wikitech or Striker and then add it as an administrator of the traffic project. There is nothing special about the account from the OpenStack point of view. We can not make a single account to handle this sort of activity across multiple Cloud VPS projects as the same credentials would be used in all projects.
$ ldap cn=deployment-prep-dns-manager \* memberOf dn: uid=deployment-prep-dns-manager,ou=people,dc=wikimedia,dc=org uid: deployment-prep-dns-manager sn: Deployment-prep-dns-manager cn: Deployment-prep-dns-manager objectClass: inetOrgPerson objectClass: person objectClass: ldapPublicKey objectClass: posixAccount objectClass: shadowAccount uidNumber: 19091 gidNumber: 500 homeDirectory: /home/deployment-prep-dns-manager loginShell: /bin/false mail: krenair+betadnsmanager@<redacted> memberOf: cn=project-deployment-prep,ou=groups,dc=wikimedia,dc=org # pagedresults: cookie=
Here you go @Vgutierrez. Ping me on IRC if you would like to have some assistance when creating the Wikitech or Striker account.
IIRC deployment-prep's one has a special role that cannot be assigned by normal users, it gives basically read only + edit DNS permissions?
Wow, I had completely forgotten that we made the designateadmin role in T194998: Create custom deployment-prep role that allows editing of Designate records only. I don't think this actually got documented anywhere outside of that ticket and the git patch that went with it. @Andrew didn't remember it when I was rambling in a meeting today about how we could in theory make such a role if it was actually needed.
The rest of the things I said about initial creation of the account are pretty much true, but it will take direct use of the openstack cli tools to grant the new user this role in the project.
Yeah, to be honest, a limited access for this account would be better than a full administrator role
Change 528720 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] keystone: allow svc account traffic-cloud-dns-manager to use password auth
Change 528720 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] keystone: allow svc account traffic-cloud-dns-manager to use password auth
For the record, I just created a basic documentation page: https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/Service_accounts
Mentioned in SAL (#wikimedia-cloud) [2019-08-07T10:01:54Z] <arturo> remove projectadmin and added designateadmin role to the traffic-cloud-dns-manager user T229786