Change Details

== Requestor provided information and prerequisites == **This section is to be completed by the individual requesting access.** * shell username: aikochou and kevinbazira * Requested group membership: `deployment` * Reason for access: Recently permissions for Helm config files changed (https://phabricator.wikimedia.org/T305729) to allow only members of the `deployment` group to read them, and some ml-team members not in it started to see permissions problems while deploying: 1) Permission in helmfile while using it, since the `HELM_CACHE_HOME` was not writable/readable anymore. This problem can be worked around exporting a new cache home directory for each user like explained in T307927#7920508. 2) Permission to read files under /etc/helmfile-defaults/private, ending up in wrong deployment actions/diffs (like removing Secrets etc.. because not readable anymore, see T307927#7921020). If it was only `HELM_CACHE_HOME` the problem, we could have added another one for the ml-team use case, but since more helmfile config files are involved, the quickest solution seems to be to add ml-team deployers to the `deployment` group. A more long term solution may be needed, but I'd prefer to allow members of my team to keep deploying right now without being blocked. https://gerrit.wikimedia.org/r/c/operations/puppet/+/791036/ * Name of approving party (manager for WMF/WMDE staff): Chris Albon * Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: * Please coordinate obtaining a comment of approval on this task from the approving party. == SRE Clinic Duty Confirmation Checklist for Access Requests == This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off. **This section is to be confirmed and completed by a member of the SRE team.** [] - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document. [] - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet) [] - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform) [] - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.) [] - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff) [] - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

== Requestor provided information and prerequisites == **This section is to be completed by the individual requesting access.** * shell username: aikochou and kevinbazira * Requested group membership: `deployment` * Reason for access: Recently permissions for Helm config files changed (https://phabricator.wikimedia.org/T305729) to allow only members of the `deployment` group to read them, and some ml-team members not in it started to see permissions problems while deploying: 1) Permission in helmfile while using it, since the `HELM_CACHE_HOME` was not writable/readable anymore. This problem can be worked around exporting a new cache home directory for each user like explained in T307927#7920508. 2) Permission to read files under /etc/helmfile-defaults/private, ending up in wrong deployment actions/diffs (like removing Secrets etc.. because not readable anymore, see T307927#7921020). If it was only `HELM_CACHE_HOME` the problem, we could have added another one for the ml-team use case, but since more helmfile config files are involved, the quickest solution seems to be to add ml-team deployers to the `deployment` group. A more long term solution may be needed, but I'd prefer to allow members of my team to keep deploying right now without being blocked. https://gerrit.wikimedia.org/r/c/operations/puppet/+/791036/ * Name of approving party (manager for WMF/WMDE staff): Chris Albon * Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: * Please coordinate obtaining a comment of approval on this task from the approving party. == SRE Clinic Duty Confirmation Checklist for Access Requests == This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off. **This section is to be confirmed and completed by a member of the SRE team.** [x] - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document. [x] - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet) [x] - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform) [x] - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.) [x] - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff) [x] - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

== Requestor provided information and prerequisites == **This section is to be completed by the individual requesting access.** * shell username: aikochou and kevinbazira * Requested group membership: `deployment` * Reason for access: Recently permissions for Helm config files changed (https://phabricator.wikimedia.org/T305729) to allow only members of the `deployment` group to read them, and some ml-team members not in it started to see permissions problems while deploying: 1) Permission in helmfile while using it, since the `HELM_CACHE_HOME` was not writable/readable anymore. This problem can be worked around exporting a new cache home directory for each user like explained in T307927#7920508. 2) Permission to read files under /etc/helmfile-defaults/private, ending up in wrong deployment actions/diffs (like removing Secrets etc.. because not readable anymore, see T307927#7921020). If it was only `HELM_CACHE_HOME` the problem, we could have added another one for the ml-team use case, but since more helmfile config files are involved, the quickest solution seems to be to add ml-team deployers to the `deployment` group. A more long term solution may be needed, but I'd prefer to allow members of my team to keep deploying right now without being blocked. https://gerrit.wikimedia.org/r/c/operations/puppet/+/791036/ * Name of approving party (manager for WMF/WMDE staff): Chris Albon * Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: * Please coordinate obtaining a comment of approval on this task from the approving party. == SRE Clinic Duty Confirmation Checklist for Access Requests == This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off. **This section is to be confirmed and completed by a member of the SRE team.** [x] - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document. [x] - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet) [x] - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform) [x] - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.) [x] - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff) [x] - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access