We need a service user with enough access to create/append/delete TXT records under the DNS zone toolforge.org.
This service user will be used by acme-chief to fulfill dns-01 challenges from Let's Encrypt.
Following the naming schema used in the deployment-prep and traffic projects tools-dns-manager could be the name for this service account. See https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/Service_accounts for service account information.
| operations/puppet : production | openstack: Allow tools-dns-manager to connect from labs networks |
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Restricted Task | ||||
| Open | • bd808 | T232536 Toolforge Kubernetes internal API down, causing `webservice` and other tooling to fail | ||
| Open | None | T236565 "tools" Cloud VPS project jessie deprecation | ||
| Open | None | T214513 Upgrade Toolforge Kubernetes | ||
| Resolved | aborrero | T215531 Deploy upgraded Kubernetes to toolsbeta | ||
| Resolved | aborrero | T228500 Toolforge: evaluate ingress mechanism | ||
| Open | None | T234617 Toolforge. introduce new domain toolforge.org | ||
| Restricted Task | ||||
| Resolved | Krenair | T235252 Toolforge: SSL support for new domain toolforge.org | ||
| Resolved | None | T235304 Create a service account to manage toolforge.org. from acme-chief |
<Krenair> Well the next step is for someone with novaadmin access to give it the designateadmin role (and maybe observer?) in the tools project.
<Krenair> Don't think it's something us mortal projectadmins can grant from the horizon UI
<Krenair> actually the ticket said 'with enough access', guess I'll leave it open for that
Mentioned in SAL (#wikimedia-cloud) [2019-10-11T21:16:30Z] <jeh> grant tools-dns-manager designateadmin role in tools project T235304
Change 542605 had a related patch set uploaded (by Jhedden; owner: Jhedden):
[operations/puppet@production] openstack: Allow tools-dns-manager to connect from labs networks
Assigned roles for the tools-dns-manager user in eqiad1
+----------------+---------------------------+-------+---------------+--------+-----------+ | Role | User | Group | Project | Domain | Inherited | +----------------+---------------------------+-------+---------------+--------+-----------+ | observer | Tools-dns-manager@Default | | tools@Default | | False | | designateadmin | Tools-dns-manager@Default | | tools@Default | | False | +----------------+---------------------------+-------+---------------+--------+-----------+
Change 542605 merged by Jhedden:
[operations/puppet@production] openstack: Allow tools-dns-manager to connect from labs networks