cmd/gerritbot: move to Workload Identity
Create a new service account, and move the deployment over to the prod
namespace.
Also fix AutoCert configuration so we can serve our happy little home
page.
Fixes golang/go#37377.
For golang/go#48263.
Change-Id: I9d0a5e49db53c0224379f448b49c9b679d59d23b
Reviewed-on: https://go-review.googlesource.com/c/build/+/348433
Trust: Heschi Kreinick <heschi@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
diff --git a/cmd/gerritbot/Makefile b/cmd/gerritbot/Makefile
index 98901dc..4c9cb0e 100644
--- a/cmd/gerritbot/Makefile
+++ b/cmd/gerritbot/Makefile
@@ -17,12 +17,14 @@
push-prod: docker-prod
docker push $(IMAGE_PROD):$(VERSION)
+ docker push $(IMAGE_PROD):$(MUTABLE_VERSION)
push-staging: docker-staging
docker push $(IMAGE_STAGING):$(VERSION)
+ docker push $(IMAGE_STAGING):$(MUTABLE_VERSION)
deploy-prod: push-prod
go install golang.org/x/build/cmd/xb
- xb --prod kubectl set image deployment/gerritbot-deployment gerritbot=$(IMAGE_PROD):$(VERSION)
+ xb --prod kubectl --namespace prod set image deployment/gerritbot-deployment gerritbot=$(IMAGE_PROD):$(VERSION)
deploy-staging: push-staging
go install golang.org/x/build/cmd/xb
xb --staging kubectl set image deployment/gerritbot-deployment gerritbot=$(IMAGE_STAGING):$(VERSION)
diff --git a/cmd/gerritbot/deployment-prod.yaml b/cmd/gerritbot/deployment-prod.yaml
index 23349ad..dfdfe34 100644
--- a/cmd/gerritbot/deployment-prod.yaml
+++ b/cmd/gerritbot/deployment-prod.yaml
@@ -1,6 +1,7 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ namespace: prod
name: gerritbot-deployment
spec:
replicas: 1
@@ -15,6 +16,9 @@
container.seccomp.security.alpha.kubernetes.io/gerritbot: docker/default
container.apparmor.security.beta.kubernetes.io/gerritbot: runtime/default
spec:
+ serviceAccountName: gerritbot
+ nodeSelector:
+ cloud.google.com/gke-nodepool: workload-identity-pool
containers:
- name: gerritbot
image: gcr.io/symbolic-datum-552/gerritbot:latest
diff --git a/cmd/gerritbot/service.yaml b/cmd/gerritbot/service.yaml
index 03d906b..e655eb5 100644
--- a/cmd/gerritbot/service.yaml
+++ b/cmd/gerritbot/service.yaml
@@ -1,6 +1,7 @@
apiVersion: v1
kind: Service
metadata:
+ namespace: prod
name: gerritbot
spec:
ports:
diff --git a/devapp/Makefile b/devapp/Makefile
index 4209a0a..5451a04 100644
--- a/devapp/Makefile
+++ b/devapp/Makefile
@@ -17,8 +17,10 @@
push-prod: docker-prod
docker push $(IMAGE_PROD):$(VERSION)
+ docker push $(IMAGE_PROD):$(MUTABLE_VERSION)
push-staging: docker-staging
docker push $(IMAGE_STAGING):$(VERSION)
+ docker push $(IMAGE_STAGING):$(MUTABLE_VERSION)
deploy-prod: push-prod
go install golang.org/x/build/cmd/xb
diff --git a/internal/https/https.go b/internal/https/https.go
index 45cef37..35b9ab1 100644
--- a/internal/https/https.go
+++ b/internal/https/https.go
@@ -131,11 +131,7 @@
},
Cache: autocertcache.NewGoogleCloudStorageCache(sc, bucket),
}
- config := &tls.Config{
- GetCertificate: m.GetCertificate,
- NextProtos: []string{"h2", "http/1.1"},
- }
- tlsLn := tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, config)
+ tlsLn := tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, m.TLSConfig())
if err := http2.ConfigureServer(server, nil); err != nil {
return fmt.Errorf("http2.ConfigureServer: %v", err)
}
