Bug 1412836 - Setup a pushapk_scriptworker instance that supports dep-signing r=aki
MozReview-Commit-ID: BDD6ZdIBctg
--- a/manifests/moco-nodes.pp
+++ b/manifests/moco-nodes.pp
@@ -1025,16 +1025,24 @@ node /beetmover-dev.*\.srv\.releng\..*\.
$aspects = [ 'maximum-security' ]
$beetmoverworker_env = 'dev'
$timezone = 'UTC'
$only_user_ssh = true
include toplevel::server::beetmoverscriptworker
}
# Pushapk scriptworkers
+node /dep-pushapkworker-.*\.srv\.releng\..*\.mozilla\.com/ {
+ $aspects = [ 'maximum-security' ]
+ $pushapk_scriptworker_env = 'dep'
+ $timezone = 'UTC'
+ $only_user_ssh = true
+ include toplevel::server::pushapkscriptworker
+}
+
node /pushapkworker-.*\.srv\.releng\..*\.mozilla\.com/ {
$aspects = [ 'maximum-security' ]
$pushapk_scriptworker_env = 'prod'
$timezone = 'UTC'
$only_user_ssh = true
include toplevel::server::pushapkscriptworker
}
new file mode 100644
--- /dev/null
+++ b/modules/pushapk_scriptworker/files/dep.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDczCCAlugAwIBAgIELp4ETjANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJV
+UzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xDTALBgNVBAoT
+BE1vQ28xDzANBgNVBAsTBlJlbGVuZzEWMBQGA1UEAxMNVGhyb3dhd2F5IEtleTAe
+Fw0xNzA1MjIxODM0MDBaFw00NDEwMDcxODM0MDBaMGoxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMETW9D
+bzEPMA0GA1UECxMGUmVsZW5nMRYwFAYDVQQDEw1UaHJvd2F3YXkgS2V5MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArR+7Eu+nlhem5yi4nFNy5hzWFi8S
+hfeMfALiuV7jKyhvfS69UFxciFqaeKtiGY5SWu80cwFqa3BFqAt24EAsJh6t7mnG
+rtuueyGiBRqxnlJM4YZSkP2T+RlftmebbV0SBkrv86I4+Cm5UrLi4heTnl1fWHvc
+QkhIE3f2Vxs3di7ExdyFy0DZhjkMzCWLkA4QBfQfxoLeq92hXhkKZr0gSzJptnEG
+OI0NF/ZrNr0ptGb69KVR98dkm5FR2rxL6d2Hu8/Sq+1j3m8wS4N38ugX4WMpOjiO
+CH7EZMJxDUiXgJwOav+xnuhGYGE/XgRImNwAv6phDerx4TXSYdz35My+4QIDAQAB
+oyEwHzAdBgNVHQ4EFgQUmoDaLvJhoZLsjxLcjGbz1rkoa9gwDQYJKoZIhvcNAQEL
+BQADggEBACM6IsO+4+zxYpIYCE1CaMztWflwNGTEi+C0VbmWx9xQuj/6x1O+P1aj
+Vzs1U+isK1s1DAT/I7To+7foRjjphyR+SZjmcoKGtmaUBrKM+2wGXpjbfmPxhdWl
+SUXWAK2w0QylHNAorGgGPo0rqShLgG4H77nb65ml7M9ehIIdm8fIjtvmaMeffeFI
+bEiPgFrscefB5dtnVkBOa6Oj+erp5z4MWYLJuWao6mJ01l0D6Vl2moIR3R4H0otq
+BxSIYtsM2RuCDUU2uh0H2HRaPSPzwgfPH25Rmhi1CFK7AXqffH8LwQPj70iqnH1t
+XMjwZkGNSiXITSyEUKLAIergD3sjvmc=
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/modules/pushapk_scriptworker/files/nightly.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDLzCCAu2gAwIBAgIES/LPETALBgcqhkjOOAQDBQAwezELMAkGA1UEBhMCVVMx
+EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxEDAO
+BgNVBAoTB01vemlsbGExFDASBgNVBAsTC1JlbEVuZyBUZWFtMRcwFQYDVQQDEw5N
+b3ppbGxhIEJ1aWxkczAeFw0xMDA1MTgxNzMyMDFaFw0zNTA1MTIxNzMyMDFaMHsx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3Vu
+dGFpbiBWaWV3MRAwDgYDVQQKEwdNb3ppbGxhMRQwEgYDVQQLEwtSZWxFbmcgVGVh
+bTEXMBUGA1UEAxMOTW96aWxsYSBCdWlsZHMwggG3MIIBLAYHKoZIzjgEATCCAR8C
+gYEA/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F
+9bow9subVWzXgTuAHTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYV
+DwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HXKu/yIgMZndFIAccCFQCXYFCPFSMLzLKS
+uYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSvu/o66oL5V0wLPQeCZ1FZ
+V4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64eK7OmdZFu
+o38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOB
+hAACgYBtE5rNIMNHTS9CSFmzPGbuT45lujD+aeKf5FFA3DsMtnpcPwELDYkOXg2j
+nMrsMeJH2U8L+UaMB1zKZIXM7wZwTbfpwZoVOxKwSsZkRhbBlVk86aNANvWg+Tvj
+TO3o2gYYGJqrXOakbOlOKwSoxjOaVJJZLB1cgU1HRNscwEdS5zALBgcqhkjOOAQD
+BQADLwAwLAIUWXJkAVhbr3yUKW8H+4vr0agw+PgCFHzN5Nm0ptN4yU6/Xp17U1kQ
+DHxs
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/modules/pushapk_scriptworker/files/release.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDpjCCAo6gAwIBAgIETHL9iDANBgkqhkiG9w0BAQUFADCBlDELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcx
+HDAaBgNVBAoTE01vemlsbGEgQ29ycG9yYXRpb24xHDAaBgNVBAsTE1JlbGVhc2Ug
+RW5naW5lZXJpbmcxHDAaBgNVBAMTE1JlbGVhc2UgRW5naW5lZXJpbmcwHhcNMTAw
+ODIzMjMwMDI0WhcNMzgwMTA4MjMwMDI0WjCBlDELMAkGA1UEBhMCVVMxEzARBgNV
+BAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHDAaBgNVBAoT
+E01vemlsbGEgQ29ycG9yYXRpb24xHDAaBgNVBAsTE1JlbGVhc2UgRW5naW5lZXJp
+bmcxHDAaBgNVBAMTE1JlbGVhc2UgRW5naW5lZXJpbmcwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC0Fg+zJOrAO9n3yiGglHadaBHV6d4qIxS4byebfeBb
+CGRl7C3aHbICO8GzP3PpLFLtGFu5X8tdLYFmf252Jm523oNrPpKNlN2WdbtuwFH8
+N4r/roUVjk/61O0nyfPvyPp2Qf8I5DtMVt7RdtmBy4PPhwAtD+VasAdT+PJVtS8E
+udMBc/wsm5gLbqJNGuYuD+DnPmklkeT01XAXOZKdkcaHTMuTK9Uzuj9FWGojBr05
+56oC+pDAJxpQ+jvej+Tdgg/oFDoYeVcXNJz8MunO7L0BMjx8hvMTKxQDQb/G3CbA
+VZEnFpUQsBgc+oG1SR3XydwN4/KrBrjc3XMxaSg5+GVlAgMBAAEwDQYJKoZIhvcN
+AQEFBQADggEBAHoGsXufXknP6G/HvZFVuedV0vdwgCw8nXC94ye7VPXX5B6LsaRm
+2sMOmTPySbqfBiQHlNVq+bNq+wHiJy9X0U6coWJzOw3Yujc/tGVCjFz+FDdvCOWN
+ZcgvGPbCYlVRn1JEw8NMn1UuH8tS9xvMYhgPU+gCciGvcWvlrcVbk5R4clwSy2iL
+rWFxaND4A1E6bBC+FHJQ7XtdLTdWkTXoHOyji7p73LX5qAK65nQNha4KTD+yfaeM
+xbjC+uTY82GJSscCNr3LPq35829G7khmL5vk4i7aSeG02x6RGrly2JJSmPFugxNE
+2ogQWanA+84inv6ucZdA6XXX8NxpHMygqc4=
+-----END CERTIFICATE-----
--- a/modules/pushapk_scriptworker/manifests/init.pp
+++ b/modules/pushapk_scriptworker/manifests/init.pp
@@ -32,38 +32,39 @@ class pushapk_scriptworker {
'cryptography==1.9',
'defusedxml==0.5.0',
'frozendict==1.2',
'google-api-python-client==1.6.2',
'httplib2==0.10.3',
'idna==2.5',
'jsonschema==2.6.0',
'mohawk==0.3.4',
- 'mozapkpublisher==0.4.0',
+ 'mozapkpublisher==0.5.0',
'multidict==2.1.6',
'oauth2client==4.1.1',
'pexpect==4.2.1',
'ptyprocess==0.5.1',
- 'pushapkscript==0.3.4',
+ 'pushapkscript==0.4.0',
'pyasn1==0.2.3',
'pyasn1-modules==0.0.9',
'pycparser==2.17',
'pyOpenSSL==17.0.0',
'python-dateutil==2.6.0',
'python-gnupg==0.4.0',
'PyYAML==3.12',
'requests==2.18.1',
'rsa==3.4.2',
'scriptworker==5.2.3',
'six==1.10.0',
'slugid==1.0.7',
'taskcluster==1.3.3',
'uritemplate==3.0.0',
'urllib3==1.21.1',
'virtualenv==15.1.0',
+ 'voluptuous==0.10.5',
'yarl==0.10.3',
];
}
scriptworker::instance {
$pushapk_scriptworker::settings::root:
instance_name => $module_name,
basedir => $pushapk_scriptworker::settings::root,
@@ -76,36 +77,53 @@ class pushapk_scriptworker {
taskcluster_client_id => $pushapk_scriptworker::settings::taskcluster_client_id,
taskcluster_access_token => $pushapk_scriptworker::settings::taskcluster_access_token,
worker_group => $pushapk_scriptworker::settings::worker_group,
worker_type => $pushapk_scriptworker::settings::worker_type,
cot_job_type => 'pushapk',
+ sign_chain_of_trust => $pushapk_scriptworker::settings::sign_chain_of_trust,
+ verify_chain_of_trust => $pushapk_scriptworker::settings::verify_chain_of_trust,
+ verify_cot_signature => $pushapk_scriptworker::settings::verify_cot_signature,
+
verbose_logging => $pushapk_scriptworker::settings::verbose_logging,
}
File {
ensure => present,
mode => '0600',
owner => $pushapk_scriptworker::settings::user,
group => $pushapk_scriptworker::settings::group,
show_diff => false,
}
$google_play_config = $pushapk_scriptworker::settings::google_play_config
-
+ $config_content = $pushapk_scriptworker::settings::script_config_content
file {
$pushapk_scriptworker::settings::script_config:
require => Python35::Virtualenv[$pushapk_scriptworker::settings::root],
- content => template("${module_name}/script_config.json.erb");
-
- $google_play_config['aurora']['certificate_target_location']:
- content => $google_play_config['aurora']['certificate'];
+ content => inline_template("<%- require 'json' -%><%= JSON.pretty_generate(@config_content) %>");
+ }
- $google_play_config['beta']['certificate_target_location']:
- content => $google_play_config['beta']['certificate'];
-
- $google_play_config['release']['certificate_target_location']:
- content => $google_play_config['release']['certificate'];
+ case $pushapk_scriptworker_env {
+ 'dep': {
+ file {
+ $google_play_config['dep']['certificate_target_location']:
+ content => $google_play_config['dep']['certificate'];
+ }
+ }
+ 'prod': {
+ file {
+ $google_play_config['aurora']['certificate_target_location']:
+ content => $google_play_config['aurora']['certificate'];
+ $google_play_config['beta']['certificate_target_location']:
+ content => $google_play_config['beta']['certificate'];
+ $google_play_config['release']['certificate_target_location']:
+ content => $google_play_config['release']['certificate'];
+ }
+ }
+ default: {
+ fail("Invalid pushapk_scriptworker_env given: $pushapk_scriptworker_env")
+ }
}
}
--- a/modules/pushapk_scriptworker/manifests/jarsigner_init.pp
+++ b/modules/pushapk_scriptworker/manifests/jarsigner_init.pp
@@ -1,39 +1,58 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
class pushapk_scriptworker::jarsigner_init {
include ::config
include packages::jdk17
- $nightly = $pushapk_scriptworker::settings::jarsigner_nightly_certificate
- $release = $pushapk_scriptworker::settings::jarsigner_release_certificate
-
File {
ensure => 'present',
show_diff => false,
}
- file {
- $nightly:
- content => secret('pushapk_scriptworker_nightly_jarsigner_certificate');
-
- $release:
- content => secret('pushapk_scriptworker_release_jarsigner_certificate');
- }
-
Java_ks {
ensure => latest,
target => $pushapk_scriptworker::settings::jarsigner_keystore,
password => $pushapk_scriptworker::settings::jarsigner_keystore_password,
trustcacerts => true,
}
- java_ks {
- $pushapk_scriptworker::settings::jarsigner_nightly_certificate_alias:
- certificate => $nightly;
+ case $pushapk_scriptworker_env {
+ 'dep': {
+ $dep = $pushapk_scriptworker::settings::jarsigner_all_certificates['dep']
+ file {
+ $dep:
+ source => 'puppet:///modules/pushapk_scriptworker/dep.pem';
+ }
+
+ java_ks {
+ 'dep':
+ certificate => $dep;
+ }
+ }
+ 'prod': {
+ $nightly = $pushapk_scriptworker::settings::jarsigner_all_certificates['nightly']
+ $release = $pushapk_scriptworker::settings::jarsigner_all_certificates['release']
- $pushapk_scriptworker::settings::jarsigner_release_certificate_alias:
- certificate => $release;
+ file {
+ $nightly:
+ source => 'puppet:///modules/pushapk_scriptworker/nightly.pem';
+
+ $release:
+ source => 'puppet:///modules/pushapk_scriptworker/release.pem';
+ }
+
+ java_ks {
+ 'nightly':
+ certificate => $nightly;
+
+ 'release':
+ certificate => $release;
+ }
+ }
+ default: {
+ fail("Invalid pushapk_scriptworker_env given: $pushapk_scriptworker_env")
+ }
}
}
--- a/modules/pushapk_scriptworker/manifests/settings.pp
+++ b/modules/pushapk_scriptworker/manifests/settings.pp
@@ -4,70 +4,137 @@
class pushapk_scriptworker::settings {
include ::config
include users::builder
$root = $config::scriptworker_root
$_env_configs = {
- 'dev' => {
- worker_group => 'pushapk-v1-dev',
- worker_type => 'pushapk-v1-dev',
+ 'dep' => {
+ worker_group => 'dep-pushapk',
+ worker_type => 'dep-pushapk',
verbose_logging => true,
- taskcluster_client_id => secret('pushapk_scriptworker_taskcluster_client_id_dev'),
- taskcluster_access_token => secret('pushapk_scriptworker_taskcluster_access_token_dev'),
+ taskcluster_client_id => secret('pushapk_scriptworker_taskcluster_client_id_dep'),
+ taskcluster_access_token => secret('pushapk_scriptworker_taskcluster_access_token_dep'),
+
+ sign_chain_of_trust => false,
+ verify_chain_of_trust => true,
+ verify_cot_signature => false,
},
'prod' => {
worker_group => 'pushapk-v1',
worker_type => 'pushapk-v1',
verbose_logging => true,
taskcluster_client_id => secret('pushapk_scriptworker_taskcluster_client_id_prod'),
taskcluster_access_token => secret('pushapk_scriptworker_taskcluster_access_token_prod'),
+
+ sign_chain_of_trust => true,
+ verify_chain_of_trust => true,
+ verify_cot_signature => true,
},
}
$_env_config = $_env_configs[$pushapk_scriptworker_env]
$schema_file = "${root}/lib/python3.5/site-packages/pushapkscript/data/pushapk_task_schema.json"
$work_dir = "${root}/work"
- $script_config = "${root}/script_config.json"
$task_script = "${root}/bin/pushapkscript"
$user = $users::builder::username
$group = $users::builder::group
$taskcluster_client_id = $_env_config['taskcluster_client_id']
$taskcluster_access_token = $_env_config['taskcluster_access_token']
$worker_group = $_env_config['worker_group']
$worker_type = $_env_config['worker_type']
+ $sign_chain_of_trust = $_env_config['sign_chain_of_trust']
+ $verify_chain_of_trust = $_env_config['verify_chain_of_trust']
+ $verify_cot_signature = $_env_config['verify_cot_signature']
+
$_google_play_all_accounts = hiera_hash('pushapk_scriptworker_google_play_accounts')
$_google_play_accounts = $_google_play_all_accounts[$fqdn]
- $google_play_config = {
- 'aurora' => {
- service_account => $_google_play_accounts['aurora']['service_account'],
- certificate => $_google_play_accounts['aurora']['certificate'],
- certificate_target_location => "${root}/aurora.p12",
- },
- 'beta' => {
- service_account => $_google_play_accounts['beta']['service_account'],
- certificate => $_google_play_accounts['beta']['certificate'],
- certificate_target_location => "${root}/beta.p12",
- },
- 'release' => {
- service_account => $_google_play_accounts['release']['service_account'],
- certificate => $_google_play_accounts['release']['certificate'],
- certificate_target_location => "${root}/release.p12",
- },
+
+ # TODO: Replace this cumbersome logic by an `each` loop once we switch to Puppet 4
+ case $pushapk_scriptworker_env {
+ 'dep': {
+ $google_play_config = {
+ 'dep' => {
+ service_account => $_google_play_accounts['dep']['service_account'],
+ certificate => $_google_play_accounts['dep']['certificate'],
+ certificate_target_location => "${root}/dep.p12",
+ },
+ }
+ $google_play_accounts_config_content = {
+ 'dep' => {
+ 'service_account' => $google_play_config['dep']['service_account'],
+ 'certificate' => $google_play_config['dep']['certificate_target_location'],
+ }
+ }
+ $jarsigner_certificate_aliases_content = {
+ 'dep' => 'dep',
+ }
+ }
+ 'prod': {
+ $google_play_config = {
+ 'aurora' => {
+ service_account => $_google_play_accounts['aurora']['service_account'],
+ certificate => $_google_play_accounts['aurora']['certificate'],
+ certificate_target_location => "${root}/aurora.p12",
+ },
+ 'beta' => {
+ service_account => $_google_play_accounts['beta']['service_account'],
+ certificate => $_google_play_accounts['beta']['certificate'],
+ certificate_target_location => "${root}/beta.p12",
+ },
+ 'release' => {
+ service_account => $_google_play_accounts['release']['service_account'],
+ certificate => $_google_play_accounts['release']['certificate'],
+ certificate_target_location => "${root}/release.p12",
+ },
+ }
+ $google_play_accounts_config_content = {
+ 'aurora' => {
+ 'service_account' => $google_play_config['aurora']['service_account'],
+ 'certificate' => $google_play_config['aurora']['certificate_target_location'],
+ },
+ 'beta' => {
+ 'service_account' => $google_play_config['beta']['service_account'],
+ 'certificate' => $google_play_config['beta']['certificate_target_location'],
+ },
+ 'release' => {
+ 'service_account' => $google_play_config['release']['service_account'],
+ 'certificate' => $google_play_config['release']['certificate_target_location'],
+ },
+ }
+ $jarsigner_certificate_aliases_content = {
+ 'aurora' => 'nightly',
+ 'beta' => 'release',
+ 'release' => 'release',
+ }
+ }
+ default: {
+ fail("Invalid pushapk_scriptworker_env given: $pushapk_scriptworker_env")
+ }
}
$jarsigner_keystore = "${root}/mozilla-android-keystore"
$jarsigner_keystore_password = secret('pushapk_scriptworker_jarsigner_keystore_password')
- $jarsigner_nightly_certificate = "${root}/nightly.cer"
- $jarsigner_nightly_certificate_alias = 'nightly'
-
- $jarsigner_release_certificate = "${root}/release.cer"
- $jarsigner_release_certificate_alias = 'release'
+ $jarsigner_all_certificates = {
+ 'nightly' => "${root}/nightly.cer",
+ 'release' => "${root}/release.cer",
+ 'dep' => "${root}/dep.cer",
+ }
$verbose_logging = $_env_config['verbose_logging']
+ $script_config = "${root}/script_config.json"
+ $script_config_content = {
+ 'work_dir' => $work_dir,
+ 'schema_file'=> $schema_file,
+ 'verbose' => $verbose_logging,
+
+ 'google_play_accounts' => $google_play_accounts_config_content,
+ 'jarsigner_key_store' => $jarsigner_keystore,
+ 'jarsigner_certificate_aliases' => $jarsigner_certificate_aliases_content,
+ }
}
deleted file mode 100644
--- a/modules/pushapk_scriptworker/templates/script_config.json.erb
+++ /dev/null
@@ -1,27 +0,0 @@
-{
- "work_dir": "<%= scope['pushapk_scriptworker::settings::work_dir'] %>",
- "schema_file": "<%= scope['pushapk_scriptworker::settings::schema_file'] %>",
- "verbose": <%= scope['pushapk_scriptworker::settings::verbose_logging'] %>,
-
- "google_play_accounts": {
- "aurora": {
- "service_account": "<%= @google_play_config['aurora']['service_account'] %>",
- "certificate": "<%= @google_play_config['aurora']['certificate_target_location'] %>"
- },
- "beta": {
- "service_account": "<%= @google_play_config['beta']['service_account'] %>",
- "certificate": "<%= @google_play_config['beta']['certificate_target_location'] %>"
- },
- "release": {
- "service_account": "<%= @google_play_config['release']['service_account'] %>",
- "certificate": "<%= @google_play_config['release']['certificate_target_location'] %>"
- }
- },
-
- "jarsigner_key_store": "<%= scope['pushapk_scriptworker::settings::jarsigner_keystore'] %>",
- "jarsigner_certificate_aliases": {
- "aurora": "<%= scope['pushapk_scriptworker::settings::jarsigner_nightly_certificate_alias'] %>",
- "beta": "<%= scope['pushapk_scriptworker::settings::jarsigner_release_certificate_alias'] %>",
- "release": "<%= scope['pushapk_scriptworker::settings::jarsigner_release_certificate_alias'] %>"
- }
-}