Generalize the method adding our 2i2c staff to all hubs

[jmunroe]

Context

We need to ensure all of our new people have access to our hubs ( currently hardcoded into helm-charts/basehub/values.yaml ). Is the "right" solution just to continue to add people to this growing list? Or should there be a more general solution (like a 2i2c-org github team). I'd appreciate someone from engineering picking up this task so that Harold, April, Angus, and Giuliano have access to all of our hubs and especially https://showcase.2i2c.cloud

Proposal

The quick solution is to just at the GitHub usernames for our newly onboarded people to helm-charts/basehub/values.yaml (this may already be implicit in our onboarding procedures).

Given that this is something that could be automated, could we implement something that the members of a '2i2c GitHub staff team' be to the source for this list of people? I realize that not all hubs use GitHub or CILogin for authentication so perhaps that is why we need to hardcode these user names.

Is possible to code up some sort of GitHub action so that changing the membership in the 2i2c GitHub staff team automatically changes the list of names that are hardcoded in helm-charts/basehub/values.yaml.

Updates and actions

I am asking @2i2c-org/engineering to discuss and implement a way to accomplish this that is secure and automated OR to decide that continuing to add names manually still is the recommended approach.

[yuvipanda]

I realize that not all hubs use GitHub or CILogin for authentication so perhaps that is why we need to hardcode these user names.

Yes, this is the primary reason we have things set up the way they are.

The quick solution is to just at the GitHub usernames for our newly onboarded people to helm-charts/basehub/values.yaml (this may already be implicit in our onboarding procedures).

My suggestion is to just make this explicit, and make it part of the onboarding checklist. I think anything else is going to currently take a disproportionate amount of resources, and be fiddly.

[consideRatio]

I realize that not all hubs use GitHub or CILogin for authentication so perhaps that is why we need to hardcode these user names.

I think all but one (utoronto) allows us in 2i2c to login with either github or google users (we update two lists, one for github accounts and one for google accounts). We also provide admin right as well to most huns, not just the normal access to start a server etc.

I currently see the technical alternatives I've considered as too complicated to be valuable enough to develop/document/maintain, so I'm currently favoring we retain the current strategy.

[sgibson91]

Another reason we hard code in helm values is that this is how 2i2c get admin rights to the hub (not just access). There is no current mechanism that supports giving admin rights to a GitHub team.

+1 for making it an explicit checkpoint in onboarding

Jenny already made a PR, is there somewhere else this info needs to be? 2i2c-org/team-compass#783

[yuvipanda]

Handled by 2i2c-org/team-compass#783