Closed Bug 1564119 Opened 6 years ago Closed 6 years ago

Make the stage server key for `releng_systemaddon` available on the production server

Categories

(Cloud Services :: Operations: Autograph, task)

Product:
Cloud Services
Component:
Operations: Autograph
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Callek, Unassigned)

References

Details

So, on every push we contact autograph to sign omnija using releng_systemaddon. We want the every-push key to be different than the release-key (specifically so that try/etc uses a different key)

Right now production automation is contacting the stage server, this should change but not by using the production release key even on try.

OK so we can:

  • move the stage systemaddon key/signer to prod as systemaddon_dep

  • in prod, rename the systemaddon key/signer to systemaddon_rel

  • create prod creds for that key with HAWK ID releng_systemaddon_dep

  • in prod, rename the releng_systemaddon HAWK ID to releng_systemaddon_rel with the existing hawk creds (but scripts using the keyid would need to be updated)

Which would leaves us with releng_systemaddon_{dep,rel} hawk creds in prod and system with access to systemaddon_{dep,rel} keys.

Did anything ship with the stage signed key? It'd be cleaner to generate a new one and not move the stage key around.

(In reply to Greg Guthe [:g-k] [:gguthe] from comment #1)

OK so we can:

  • move the stage systemaddon key/signer to prod as systemaddon_dep

  • in prod, rename the systemaddon key/signer to systemaddon_rel

  • create prod creds for that key with HAWK ID releng_systemaddon_dep

  • in prod, rename the releng_systemaddon HAWK ID to releng_systemaddon_rel with the existing hawk creds (but scripts using the keyid would need to be updated)

Either set of options is fine, however I should note that beta's and stuff on-push also uses the prod releng_systemaddon HAWK ID right now, so if possible I'd like an overlap of releng_systemaddon and releng_systemaddon_rel working for the same key material, so that we can avoid a tightly coupled rollout.

Which would leaves us with releng_systemaddon_{dep,rel} hawk creds in prod and system with access to systemaddon_{dep,rel} keys.

Perfect end state to me.

Did anything ship with the stage signed key? It'd be cleaner to generate a new one and not move the stage key around.

I'm pretty sure nothing shipped to users with the stage signed key, so I'm ok with a regen of that one.

Blocks: 1564264
No longer blocks: 1563796
See Also: → 1563796
Depends on: 1566184

OK in bc93bb2d7ef629fd4fb95dd2d727ecd1c1a942fa I preserved the existing hawk creds, added _dep and _rel creds to stage (both point to the stage key) and prod, and copied the stage key to prod as systemaddon_dep.

The only breaking change is adding _rel to the systemaddon_rsa key in prod, but I can duplicate the key and remove it on a later deploy if something is using that keyid.

:Callek does anything use the keyid param for SAO signing or do they just use the default?

Flags: needinfo?(bugspam.Callek)

Sent the updated creds to :Callek with :catlee copied.

(In reply to Greg Guthe [:g-k] [:gguthe] from comment #3)

:Callek does anything use the keyid param for SAO signing or do they just use the default?

We don't explicitly use the keyid param, though things are using the original user/pass hawk creds I was provided in production, so if those invalidate we'll need a chance to cut over after prod deploy.

Flags: needinfo?(bugspam.Callek)

OK thanks! The hawk creds are the same, so I think we're all good.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.