[RELENG-779] VPN Signing worker changes

[hneiva]

Adhoc Worker

I'll keep track of the changes being done to mac-v3-signing20.srv.releng.mdc1.mozilla.com here, so when we decide to automate/puppetize it, there's a reference to the changes made there.

• Reset the client token
• Updated values in /builds/scriptworker/taskcluster.yaml (backup in taskcluster.bkp.yaml)
• script_config.yaml Removed all supported_behaviors and added only mac_notarize_vpn

---

Dep worker

Following aki's steps to create dep signer:

• Created depbld user with random throwaway password
  /usr/sbin/sysadminctl -addUser depbld -admin -password -
• Added user to visudo restricted to package build binary only
  depbld ALL=(root) NOPASSWD: /usr/bin/pkgbuild
• Create build folder
  sudo mkdir /builds/dep && sudo chown cltbld:staff /builds/dep
• Switch to user and cd to folder
  sudo -u depbld -i
cd /builds/dep
• Created python virtual environment
  python3 -m venv virtualenv
• Activate venv
  source virtualenv/bin/activate
• Copy over requirements.txt from prod
  cp /builds/scriptworker/requirements.txt ./requirements.txt
• Install python packages
  pip install -r requirements.txt
• Install iscript, scriptworker, scriptworker_client, mozbuild

pip install \
git+https://github.com/mozilla-releng/scriptworker.git@main \
git+https://github.com/mozilla-releng/scriptworker-scripts.git@master#subdirectory=scriptworker_client \
git+https://github.com/mozilla-releng/scriptworker-scripts.git@master#subdirectory=vendored/mozbuild \
git+https://github.com/mozilla-releng/scriptworker-scripts.git@master#subdirectory=iscript

• Manually copied /certs/, /scriptworker.yaml and /script_config.yaml from dep-mac-v3-signing3.srv.releng.mdc1.mozilla.com:/builds/dep1
  ❗Note: Make sure to verify ownership and access
  ❗Note: Double check taskcluster_scope_prefix -> "project:adhoc:signing:"

• Updated script_config.yaml paths and supported_behaviors

• Created new client in TC project/releng/scriptworker/v2/mac-signing/prod/firefoxci-adhoc-t

• Updated ci-config with new client

• (as my user) Copied daemon plist file /Library/LaunchDaemons/org.mozilla.scriptworker.depbld.plist, updated paths and user, and loaded the service
  sudo launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.depbld.plist

[hneiva]

Signing Worker (WIP)

Rollout docs
Manual changes made to mac-v3-signing19

• Disabled periodic (puppet), and poller services (scriptworker_wrappper as well if you want to test manually)

sudo launchctl unload /Library/LaunchDaemons/org.mozilla.notarization_poller.poller.plist
sudo launchctl unload /Library/LaunchDaemons/com.mozilla.periodic.plist
sudo launchctl unload /Library/LaunchDaemons/org.mozilla.scriptworker.cltbld.plist

• Updated script_config.yaml

  • taskcluster_scope_prefix: "project:mozillavpn:releng:signing:"
  • supported_behaviors: ["mac_notarize_vpn"] (2x)

• Updated scriptworker.yaml

  • new clientId, accessToken, worker_type, worker_id
  • cot_product: "mozillavpn"

• Run enable_scriptworker.sh

---

[optional] Test dep worker

• Created new client token

• Followed dep install as above to test changes to ci-config

  • Created new dep client and updated scriptworker.yaml (make sure paths are updated)
  • Test with source virtualenv/bin/activate && scriptworker scriptworker.yaml

[hneiva]

TODOS:

• Do we need to replace cot_product: "firefox" with mozillavpn ??
• Cleanup script_config.yaml