-
Notifications
You must be signed in to change notification settings - Fork 28
Manual Rollout with Puppet
Ben Hearsum edited this page Jan 15, 2021
·
27 revisions
For imaging, see this page.
- As of 2020.04.15, this automatically puppetizes the machine. However, it's busted due to an issue around widevine?
- As of 2020.04.20, widevine is fixed with this commit on the notarization-poller branch.
- As of 2020.06.18, v3
ronin_puppetnow works, with python 3.8. Details here. - As of 2020.07.15, it looks like production puppet now works for poller and scriptworker, with python 3.8, for everything but the 4 secrets in
certs/and starting up the launchctl services. Dep signing puppetization is currently broken. Set these up by hand. - As of 2021.01.15, puppetization works for prod, tb-prod, and dep
This will create the following files:
-
/var/root/bootstrap_mojave.shwhich contains the logic for puppetizing -
/var/root/vault.yamlwith the secrets
It's missing the /etc/puppet directory.
Ronin Puppet doesn't have all of our secrets, so after a machine is deployed we need to manually perform a few steps. The easiest way to get the secrets is to pull them from an existing signing machine. Failing that, you will likely need to dig into offline backups.
widevine_dep.crtdep-signing.keychain
for info in "depbld1:dep1" "depbld2:dep2" "tbbld:tb-dep"; do
username=$(echo $info | cut -f1 -d:)
dir=$(echo $info | cut -f2 -d:)
cp widevine_dep.crt /builds/${dir}/certs/
cp dep-signing.keychain /builds/${dir}/certs/
chown ${username} /builds/${dir}/certs/*
done
widevine_prod.crtnightly-signing.keychainrelease-signing.keychained25519_privkey
- Copy all the above files to
/builds/scriptworker/certs/- The simplest way to do this is to tar up this directory from an existing scriptworker of the same type
-
ed25519_privkeymust have no EOL. If you create it by editing it, make sure toperl -pi -e 'chomp if eof' ed25519_privkey
chown cltbld /builds/scriptworker/certs/*chmod 400 /builds/scriptworker/certs/*