Page MenuHomePhabricator
Create Task
Maniphest T235304

Create a service account to manage toolforge.org. from acme-chief
Closed, ResolvedPublic
Actions

Description

We need a service user with enough access to create/append/delete TXT records under the DNS zone toolforge.org.

This service user will be used by acme-chief to fulfill dns-01 challenges from Let's Encrypt.

Following the naming schema used in the deployment-prep and traffic projects tools-dns-manager could be the name for this service account. See https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/Service_accounts for service account information.

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+1 -0openstack: Allow tools-dns-manager to connect from labs networks
Customize query in gerrit

Related Objects
Search...

Event Timeline

bd808 created this task.Oct 11 2019, 8:34 PM
Krenair closed this task as Resolved.Oct 11 2019, 8:52 PM
Krenair claimed this task.

https://wikitech.wikimedia.org/wiki/Special:Log?type=newusers&page=User%3ATools-dns-manager

Krenair reopened this task as Open.Oct 11 2019, 9:02 PM

<Krenair> Well the next step is for someone with novaadmin access to give it the designateadmin role (and maybe observer?) in the tools project.
<Krenair> Don't think it's something us mortal projectadmins can grant from the horizon UI
<Krenair> actually the ticket said 'with enough access', guess I'll leave it open for that

Krenair removed Krenair as the assignee of this task.Oct 11 2019, 9:02 PM
Stashbot added a comment.Oct 11 2019, 9:16 PM

Mentioned in SAL (#wikimedia-cloud) [2019-10-11T21:16:30Z] <jeh> grant tools-dns-manager designateadmin role in tools project T235304

gerritbot added a comment.Oct 11 2019, 9:22 PM

Change 542605 had a related patch set uploaded (by Jhedden; owner: Jhedden):
[operations/puppet@production] openstack: Allow tools-dns-manager to connect from labs networks

https://gerrit.wikimedia.org/r/542605

gerritbot added a project: Patch-For-Review.Oct 11 2019, 9:22 PM
JHedden added a comment.Oct 11 2019, 9:26 PM

Assigned roles for the tools-dns-manager user in eqiad1

+----------------+---------------------------+-------+---------------+--------+-----------+
| Role           | User                      | Group | Project       | Domain | Inherited |
+----------------+---------------------------+-------+---------------+--------+-----------+
| observer       | Tools-dns-manager@Default |       | tools@Default |        | False     |
| designateadmin | Tools-dns-manager@Default |       | tools@Default |        | False     |
+----------------+---------------------------+-------+---------------+--------+-----------+
gerritbot added a comment.Oct 11 2019, 9:26 PM

Change 542605 merged by Jhedden:
[operations/puppet@production] openstack: Allow tools-dns-manager to connect from labs networks

https://gerrit.wikimedia.org/r/542605

Krenair closed this task as Resolved.Oct 11 2019, 9:30 PM

Thank you!

Maintenance_bot removed a project: Patch-For-Review.Oct 11 2019, 10:10 PM
Krenair mentioned this in T252732: Create a service account to manage testlabs DNS.May 14 2020, 1:09 AM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL