Add certifier for *.internal-registry.ci.rox.systems (#1005)

.github/workflows/build-and-push.yaml

@@ -44,10 +44,14 @@ jobs:
         run: |
           make unit-test
 
-      - name: Build
+      - name: Build Infra Server
         run: |
           make image
 
+      - name: Build Certifier
+        run: |
+          cd certifier && make image
+  
       - name: Login for image push
         uses: docker/login-action@v2
         with:
@@ -58,3 +62,4 @@ jobs:
       - name: Push
         run: |
           make push
+          cd certifier && make push

certifier/Dockerfile

@@ -1,4 +1,4 @@
-FROM certbot/dns-google:v0.38.0
+FROM certbot/dns-google:v2.6.0
 
 COPY certifier /usr/local/bin/certifier
 

certifier/Makefile

@@ -1,4 +1,30 @@
-.PHONY: build
-build:
-	GOOS=linux GOARCH=amd64 go build -o certifier -ldflags='-s -w' *.go
-	docker build -t certifier:latest .
+.PHONY: all
+all: image
+
+TAG=$(shell git describe --tags --abbrev=10 --long)
+TAGGED=$(shell git tag --contains | head)
+ifneq (,$(TAGGED))
+	# We're tagged. Use the tag explicitly.
+	VERSION := $(TAGGED)
+else
+	# We're on a dev/PR branch
+	VERSION := $(TAG)
+endif
+
+.PHONY: tag
+tag:
+	@echo $(VERSION)
+
+IMAGE=us.gcr.io/stackrox-infra/certifier:$(VERSION)
+.PHONY: image-name
+image-name:
+	@echo $(IMAGE)
+
+.PHONY: image
+image:
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o certifier -ldflags='-s -w' *.go
+	docker build -t $(IMAGE) .
+
+.PHONY: push
+push:
+	docker push $(IMAGE) | cat

certifier/main.go

@@ -28,6 +28,7 @@ type config struct {
 	GCSBucket             string
 	GCSPrefix             string
 	GoogleCredentialsFile string
+	GoogleProject         string
 	RenewalDays           int
 }
 
@@ -47,6 +48,7 @@ func mainCmd() error {
 	flag.StringVar(&cfg.GCSBucket, "gcs-bucket", "", "")
 	flag.StringVar(&cfg.GCSPrefix, "gcs-prefix", "", "")
 	flag.IntVar(&cfg.RenewalDays, "renewal-days", 15, "")
+	flag.StringVar(&cfg.GoogleProject, "gcp-project-name", "", "")
 	flag.Parse()
 
 	googleCredentialsFile, found := os.LookupEnv("GOOGLE_APPLICATION_CREDENTIALS")
@@ -165,6 +167,10 @@ func buildCertbotCommand(cfg config) *exec.Cmd {
 		args = append(args, "--domains", cfg.AlternativeNames)
 	}
 
+	if cfg.GoogleProject != "" {
+		args = append(args, "--dns-google-project", cfg.GoogleProject)
+	}
+
 	cmd := exec.Command("certbot", args...)
 	cmd.Stdin = nil
 	cmd.Stdout = os.Stdout

chart/infra-server/templates/demo-certifier.yaml

@@ -81,4 +81,40 @@ spec:
             - name: configuration
               secret:
                 secretName: demo-certifier-credentials
+
+---
+
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: demo-certifier-internal-registry-ci-rox-systems
+  namespace: infra
+spec:
+  schedule: "@weekly"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: certifier
+            image: us.gcr.io/stackrox-infra/certifier:0.8.0-11-ga083b2097a
+            imagePullPolicy: IfNotPresent
+            args:
+              - --common-name=*.internal-registry.ci.rox.systems
+              - --cert-name=internal-registry.ci.rox.systems
+              - --gcs-bucket=sr-demo-files
+              - --gcs-prefix=certs
+              - --gcp-project-name=stackrox-ci
+            env:
+              - name: GOOGLE_APPLICATION_CREDENTIALS
+                value: /configuration/google-credentials.json
+            volumeMounts:
+              - mountPath: /configuration
+                name: configuration
+                readOnly: true
+          restartPolicy: Never
+          volumes:
+            - name: configuration
+              secret:
+                secretName: demo-certifier-credentials
 {{ end }}