Skip to content

Organisation

This page documents technical impediments, organisational structure and our human processes.

Technical Impediments

OneConnect is a new product, with new technology requirements, involving development teams in multiple continents.

Given this, it's expected that there will be IT problems to solve, and it's important to track them transparently.

The following areas are currently impacting the project:

1. Onboarding new members.

To work on OneConnect, there are multiple resources that people need access to - gerrit repositories, github repositories, jira, teams channels, aws resources etc. It has proven difficult to gain access to all of these resources, for people in external centers:

  • There are different admins for each resource.
  • There's not a single document to follow to provide the needed access.
  • The NZ IS team is key to starting this process, and they are often overburdened with other work.

A global LDAP system linked into an IDaaS provider would make it easier to onboard members for the systems under the OneConnect team's control, like AWS environments, argocd, terraform etc.

2. Lack of global LDAP system

In OneConnect, we want to be able to do things like:

  • Remove people from OC systems automatically when they leave the company
  • Associate permissions (e.g. for argo, AWS, terraform) with groups of people in an automated way, based on LDAP user.

There is currently no global LDAP system, so this has to be done manually.

Action: NZ IS team is working on a tool to query each center for their staff, so we are alerted when someone leaves. See Greg Crockett for details.

3. Each center has different network configurations, requiring unique workarounds

For example, in ATKK, there is a DNS blocking traffic to google.com. A large amount of time was spent trying to understand why this was breaking our CI pipeline, and coming up with workarounds.

The Carey team in North Carolina will have their own unique network configuration, and we should expect to have to come up with workarounds for that as well.

4. Access to application images over the image registry is slow for ATKK

It takes ~1.5 hours to pull an image in ATKK from the image registry. We spent a lot of time working around this.

The root problem is that there's a slow link between ATNZ and ATKK, and possibly between ATNZ and the US center too.

There are two links - a VPN and a WAN link. Larger traffic should go over the WAN link. The IS team thinks the image registry traffic is going over the VPN link, which is slower.

It's difficult for the IS team to determine which traffic is going over which link, and to change the configuration to route image registry traffic over the WAN link. Even if this is done, the WAN link may still be insufficient, as it's a 1GB pipe.

There are talks about upgrading the link from 1GB to 10GB.

5. Limits to how many devs can access centralized secret store

We use 1Password as our centralized secret store. There are only 10 seats available, so there's a limit to how many people can gain access to secrets for argocd, AWS environments, terraform, etc.

Action: Ask upper management to pay for 1Password enterprise version