cmd/gerritbot: move to Workload Identity

heschi · heschi · commit d4579c2b5c04 · 2021-09-08T20:32:04.000Z
Create a new service account, and move the deployment over to the prod namespace. Also fix AutoCert configuration so we can serve our happy little home page. Fixes golang/go#37377. For golang/go#48263. Change-Id: I9d0a5e49db53c0224379f448b49c9b679d59d23b Reviewed-on: https://go-review.googlesource.com/c/build/+/348433 Trust: Heschi Kreinick <heschi@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
diff --git a/cmd/gerritbot/Makefile b/cmd/gerritbot/Makefile
@@ -17,12 +17,14 @@ docker-staging: Dockerfile
 
 push-prod: docker-prod
 	docker push $(IMAGE_PROD):$(VERSION)
+	docker push $(IMAGE_PROD):$(MUTABLE_VERSION)
 push-staging: docker-staging
 	docker push $(IMAGE_STAGING):$(VERSION)
+	docker push $(IMAGE_STAGING):$(MUTABLE_VERSION)
 
 deploy-prod: push-prod
 	go install golang.org/x/build/cmd/xb
-	xb --prod kubectl set image deployment/gerritbot-deployment gerritbot=$(IMAGE_PROD):$(VERSION)
+	xb --prod kubectl --namespace prod set image deployment/gerritbot-deployment gerritbot=$(IMAGE_PROD):$(VERSION)
 deploy-staging: push-staging
 	go install golang.org/x/build/cmd/xb
 	xb --staging kubectl set image deployment/gerritbot-deployment gerritbot=$(IMAGE_STAGING):$(VERSION)
diff --git a/cmd/gerritbot/deployment-prod.yaml b/cmd/gerritbot/deployment-prod.yaml
@@ -1,6 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
+  namespace: prod
   name: gerritbot-deployment
 spec:
   replicas: 1
@@ -15,6 +16,9 @@ spec:
         container.seccomp.security.alpha.kubernetes.io/gerritbot: docker/default
         container.apparmor.security.beta.kubernetes.io/gerritbot: runtime/default
     spec:
+      serviceAccountName: gerritbot
+      nodeSelector:
+        cloud.google.com/gke-nodepool: workload-identity-pool
       containers:
       - name: gerritbot
         image: gcr.io/symbolic-datum-552/gerritbot:latest
diff --git a/cmd/gerritbot/service.yaml b/cmd/gerritbot/service.yaml
@@ -1,6 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
+  namespace: prod
   name: gerritbot
 spec:
   ports:
diff --git a/devapp/Makefile b/devapp/Makefile
@@ -17,8 +17,10 @@ docker-staging: Dockerfile
 
 push-prod: docker-prod
 	docker push $(IMAGE_PROD):$(VERSION)
+	docker push $(IMAGE_PROD):$(MUTABLE_VERSION)
 push-staging: docker-staging
 	docker push $(IMAGE_STAGING):$(VERSION)
+	docker push $(IMAGE_STAGING):$(MUTABLE_VERSION)
 
 deploy-prod: push-prod
 	go install golang.org/x/build/cmd/xb
diff --git a/internal/https/https.go b/internal/https/https.go
@@ -131,11 +131,7 @@ func serveAutocertTLS(ctx context.Context, h http.Handler, bucket string) error
 		},
 		Cache: autocertcache.NewGoogleCloudStorageCache(sc, bucket),
 	}
-	config := &tls.Config{
-		GetCertificate: m.GetCertificate,
-		NextProtos:     []string{"h2", "http/1.1"},
-	}
-	tlsLn := tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, config)
+	tlsLn := tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, m.TLSConfig())
 	if err := http2.ConfigureServer(server, nil); err != nil {
 		return fmt.Errorf("http2.ConfigureServer: %v", err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -131,11 +131,7 @@ func serveAutocertTLS(ctx context.Context, h http.Handler, bucket string) error`
`131`	`131`	`},`
`132`	`132`	`Cache: autocertcache.NewGoogleCloudStorageCache(sc, bucket),`
`133`	`133`	`}`
`134`		`- config := &tls.Config{`
`135`		`- GetCertificate: m.GetCertificate,`
`136`		`- NextProtos: []string{"h2", "http/1.1"},`
`137`		`- }`
`138`		`- tlsLn := tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, config)`
	`134`	`+ tlsLn := tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, m.TLSConfig())`
`139`	`135`	`if err := http2.ConfigureServer(server, nil); err != nil {`
`140`	`136`	`return fmt.Errorf("http2.ConfigureServer: %v", err)`
`141`	`137`	`}`