-
Notifications
You must be signed in to change notification settings - Fork 28
mac todo
Aki puppetized all Fx prod signing macs post-Aug2020-layoffs.
We still need to puppetize the TB signing macs. As of 20200916, dhouse is looking at playing with puppet on tb-mac-v3-signing2. Once that's done, we can puppetize tb-mac-v3-signing1 and be done with this step.
puppet is broken for dep boxes. Until we fix this, all setup and maintenance for dep mac signing boxes will be manual.
Once this is fixed, let's puppetize both dep boxes and be done.
Relops is planning on setting up vault for secret management. This is more secure than the current secrets yaml.
When that happens, we can potentially move the 4 cert secrets into the vault service, and use it from puppet. This will require sec approval. This would allow us to reimage and have a running machine without any manual setup.
We should create a doc for how to maintain the mac signers. How to update python modules. How to restart scriptworker. How to wipe secrets and when. (This is probably more important when we don't have end-to-end puppet automation.)
Once the above is complete, we can look at running puppet periodically, with pinned python dependencies. Once a python dependency version is bumped, that should install automatically on the next run. This should restart scriptworker and/or the notarization poller if critical dependencies or config files are changed.
This will remove the need to ssh in to update scriptworker or python dependencies. This will be less prone to human error and more secure.