-
Notifications
You must be signed in to change notification settings - Fork 29
mac todo
Relops is planning on setting up vault for secret management. This is more secure than the current secrets yaml.
When that happens, we can potentially move the 4 cert secrets into the vault service, and use it from puppet. This will require sec approval. This would allow us to reimage and have a running machine without any manual setup.
Once the above is complete, we can look at running puppet periodically, with pinned python dependencies. Once a python dependency version is bumped, that should install automatically on the next run. This should restart scriptworker and/or the notarization poller if critical dependencies or config files are changed.
This will remove the need to ssh in to update scriptworker or python dependencies. This will be less prone to human error and more secure.