LFIT access to secrets

[UlisesGascon]

The LFIT needs access to the secrets repository (folders: infra-mac and test AFAIK) in order to work with MacStadium/Orka (see: #3638) and the perf machines (see: #3657). In both cases they are working on providers migration.

Just to summarize the auth level:

• Access as admin to all the test machines using via SSH
  • https://github.com/nodejs/build/blob/main/ansible/inventory.yml#L102
• Access as admin to all the MacOS related infrastructure (using SSH) including dedicated release machines from that environment.
  • https://github.com/nodejs/build/blob/main/ansible/inventory.yml#L60
  • https://github.com/nodejs/build/blob/main/ansible/inventory.yml#L72
  • https://github.com/nodejs/build/blob/main/ansible/inventory.yml#L93

Are we comfortable with this decision (cc: @nodejs/build )?

[UlisesGascon]

I am +1 on this decision, and I will work with them while setting up the new VMs in the Orka environment, so I can also help to do a proper onboarding to our team/culture and how we work as a team.

[richardlau]

+1 from me.

[mhdawson]

+1, with @UlisesGascon helping them on the MacOS infrastructure I think it makes sense.

[ryanaslett]

What are the next steps? Ideally I'd like to be able to get the benchmarking machines set up and vetted before the April 1 nearform deadline.

If thats unlikely, we can do one of the following:
A. communicate to nearform that we need more time,
B. Live without benchmarking until we get it set up, OR
C. Pass me the ansible public keys and I can put them on the machines and somebody who has access and time can configure and connect them to Jenkins.

[mhdawson]

If we don't have any objections by monday I we can get together Monday afternoon and I can add your keys. I've not done it that many times so would prefer to do it together so we can test etc. Does 3 ET work for you?

Are the machines up and running ready to be ansibled?

[mhdawson]

Also if you've already run ansible on the machines I think the only thing that would be missing without access to the secrets is the jenkins tokens which we can easily get/add to the machines. For new machines they won't be in the secrets repo anyway as they are created when we add the entry in Jenkins.

[ryanaslett]

Great, yes, Monday 3 ET will work for me.

I have not run ansible on them yet as I was planning on having the same shared public key so that anybody in the build wg can make changes if necessary.

The machines are provisioned, and basically untouched.

[mhdawson]

Met with @ryanaslett and added him to the test repo yesterday.

Also created the two new benchmark machines in Jenkins and added them to the firewall.

[UlisesGascon]

I think that we can close this issue as @ryanaslett has the access already, otherwise feel free to reopen it again

[richardlau]

I think they were only given access to test and have not been given access to infra-mac.

[ryanaslett]

@UlisesGascon what @richardlau said is correct. I have access to test, but would still like access to the macstadium resources. @mhdawson said that I needed a full onboarding for that to happen. Can we schedule a time to do that?

[UlisesGascon]

Yes! We can do an onboarding next week (Monday/Tuesday? I will send you a DM for the details),

I plan to work on #3240 during the weekend so I will have all the knowledge fresh for the onboarding session. I will also create the PR to grant you the MacOS related accesses, @ryanaslett. 👍

[richardlau]

Now I think this can be closed 🙂.