On 21.06.20 03:27, Sven-Hendrik Haase wrote:
Hey all,
I propose adding Frederik Schwan to the devops team. He's eager to help Arch, he's knowledgeable, and does devops professionally. He's got a good amount of experience with mail stacks and cloud stuff and he'd like to help us out.
In fact, he's already helped quite a bit with testing and some accessless devops tasks but the number of tasks requiring access that we currently have far outweigh the accessless tasks and I think he'd like to become more involved.
Thoughts?
Cheers, Sven
Since no new opinions are coming in, I'll summarise: Everyone agrees it's fine to let Frederik do some specific tasks without giving him full access. Some people have reservations about giving full access which is fair. Our problem is that our vault currently is all-or-nothing. This leads me to a new conundrum: How do we share only a little bit of access but still allow people to run the playbooks properly? Currently we assume everyone has full access but we need to rethink that assumption. This in turn would also make it less painful to get people into DevOps roles in Arch as we wouldn't necessarily have to grant full access to all secrets. I made an issue for this where we can discuss it further [0]. But I digress. The problem is: We only have so many tasks which can be done on a limited access basis. Our biggest tasks right now are migrations which often involve multiple services at once and therefore require significant access. I'll do this: I'll work with Frederik and see how much we can do without full vault access. There are a few specific issues I have in mind and I'll hand out specific credentials as required. When the time comes and we're reaching a point where we've exhausted the issues that can be done without full access, I'll send another mail. Let's consider Frederik a limited-access member of the DevOps team for the time being. :) Cheers, Sven [0] https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/64