Closed Bug 1589166 Opened 5 years ago Closed 5 years ago

Deploy Autograph 3.9.0 for train-6

Categories

(Cloud Services :: Operations: Deployment Requests - DEPRECATED, task)

Product:
Cloud Services
Component:
Operations: Deployment Requests - DEPRECATED
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jvehent, Assigned: u581815)

References

(Blocks 1 open bug)

Details

Tracker for Train-6, to be deployed the week of november 4th.

Depends on: 1589168
Depends on: 1573529
Depends on: 1489946

train-6 branch started in autograph-hiera-sops

Depends on: 1592828
See Also: → 1593330

infra changes:

  • Nginx tweaks
    • turn on sendfile & set client_body_buffer_size to 512k
    • fixing access logs parsing in stackdriver

config changes:

  • bug 1592828 add v1 apk signer for FxR back for Gear/Go stores
  • bug 1573529 finish replacing rsapss signers with genericrsa for widevine signers in stage and prod
  • bug 1587530 add authenticode ev creds for releng
  • bug 1590208 add xpi ext dep signer and split addons workflow creds into dep and rel
  • bug 1489946 enable apk2 signing for Fenix Dep, Nightly, and Beta

code changes:

  • bump golang 1.13.3 -> 1.13.4 https://github.com/golang/go/issues?q=milestone%3AGo1.13.4
    • Includes a net/http: transport caches permanently broken persistent connections if write error happens during h2 handshake [1.13 backport]
  • dep updates
  • env var option to enable profiling with HTTP interface
  • doc fixes
  • make log level configurable via CLI option
  • drop explicit crypto11 pkg usage in mar signer

full diff: https://github.com/mozilla-services/autograph/compare/3.8.0...3.9.0
image tag: https://hub.docker.com/r/mozilla/autograph/tags/?page=1&name=3.9.0

Summary: Deploy Autograph {{TAG}} for train-6 → Deploy Autograph 3.9.0 for train-6

app stage is deployed

stage QA:

  • monitor passing RequestId: 74343edd-c70d-4014-8d43-14894072dca0
  • proxy monitor passing RequestId: e6802100-96c0-4254-bfca-0c714d32a063
  • AMO test addons signs and signature looks good

:aki can you run releng tests against stage?

:bpitts or :miles can you run "./manage.py update_signatures --force" to test signing Normandy recipes on the Normandy stage admin host?

Flags: needinfo?(miles)
Flags: needinfo?(bpitts)
Flags: needinfo?(aki)

Normandy signing succeeded in stage.

Flags: needinfo?(bpitts)

Thanks bpitts!

Flags: needinfo?(miles)

Stage mar signing went green. https://tools.taskcluster.net/tasks/YyKI6vnnShCgIMIW_2lX2w

Flags: needinfo?(aki)

Thanks aki!

For Kinto QA the refresh lambda completed without errors and stage preview is green, stage syncs but has warnings for some collections (no error strings, the pending changes might need to be approved).

I think we're good to deploy prod.

Prod deploy complete. csigpki signature renewed. Starting QA.

prod QA:

  • monitors passing and I see the new fx_reality_apk_v1 and extension_rsa_dep
  • AMO test addon signed and sig looks good
  • Kinto refresh lambda passed (RequestId: ed08e3de-fc0c-4e19-beef-866d9a9a9594) prod and prod preview synced without errors or warnings

:bpitts or :miles can you run "./manage.py update_signatures --force" to test signing Normandy recipes on the Normandy prod admin host?

Flags: needinfo?(miles)
Flags: needinfo?(bpitts)

Normandy signing succeeded in prod.

Flags: needinfo?(miles)
Flags: needinfo?(bpitts)

Thanks bpitts!

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.