From cef0a630b3a5684cd799085691ea0c8db86218ac Mon Sep 17 00:00:00 2001
From: Jacob Hoffman-Andrews <github@hoffman-andrews.com>
Date: Wed, 5 Apr 2017 09:41:41 -0700
Subject: [PATCH] Remove old-style gRPC TLS configs (#2495)

* Switch Publisher gRPC to use new "tls" block.

* Remove old-style GRPC TLS configs.

* Fix incorrect TLS blocks.

* Remove more config.
---
 cmd/boulder-publisher/main.go   | 10 ----------
 cmd/config.go                   |  8 --------
 cmd/ocsp-updater/main.go        | 10 ----------
 test/config-next/publisher.json | 11 +++++------
 test/config/publisher.json      | 11 +++++------
 5 files changed, 10 insertions(+), 40 deletions(-)

diff --git a/cmd/boulder-publisher/main.go b/cmd/boulder-publisher/main.go
index e30141ffc..3627de404 100644
--- a/cmd/boulder-publisher/main.go
+++ b/cmd/boulder-publisher/main.go
@@ -76,16 +76,6 @@ func main() {
 		bundle = append(bundle, ct.ASN1Cert(cert.Raw))
 	}
 
-	// TODO(jsha): Publisher is currently configured in production using old-style
-	// GRPC config fields. Remove this once production is switched over.
-	if c.Publisher.GRPC != nil && c.Publisher.TLS.CertFile == nil {
-		c.Publisher.TLS = cmd.TLSConfig{
-			CertFile:   &c.Publisher.GRPC.ServerCertificatePath,
-			KeyFile:    &c.Publisher.GRPC.ServerKeyPath,
-			CACertFile: &c.Publisher.GRPC.ClientIssuerPath,
-		}
-	}
-
 	var tls *tls.Config
 	if c.Publisher.TLS.CertFile != nil {
 		tls, err = c.Publisher.TLS.Load()
diff --git a/cmd/config.go b/cmd/config.go
index b352caa7f..b44967356 100644
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -324,10 +324,6 @@ type LogDescription struct {
 type GRPCClientConfig struct {
 	ServerAddresses []string
 	Timeout         ConfigDuration
-	// Deprecated. Use TLSConfig instead. TODO(#2472): Delete these.
-	ServerIssuerPath      string
-	ClientCertificatePath string
-	ClientKeyPath         string
 }
 
 // GRPCServerConfig contains the information needed to run a gRPC service
@@ -337,10 +333,6 @@ type GRPCServerConfig struct {
 	// (SANs). The server will reject clients that do not present a certificate
 	// with a SAN present on the `ClientNames` list.
 	ClientNames []string `json:"clientNames"`
-	// Deprecated. Use TLSConfig instead. TODO(#2472): Delete these.
-	ServerCertificatePath string `json:"serverCertificatePath"`
-	ServerKeyPath         string `json:"serverKeyPath"`
-	ClientIssuerPath      string `json:"clientIssuerPath"`
 }
 
 // PortConfig specifies what ports the VA should call to on the remote
diff --git a/cmd/ocsp-updater/main.go b/cmd/ocsp-updater/main.go
index 45435bab0..1ec2c0668 100644
--- a/cmd/ocsp-updater/main.go
+++ b/cmd/ocsp-updater/main.go
@@ -729,16 +729,6 @@ func setupClients(c cmd.OCSPUpdaterConfig, stats metrics.Scope) (
 	core.Publisher,
 	core.StorageAuthority,
 ) {
-	// TODO(jsha): Publisher is currently configured in production using old-style
-	// GRPC config fields. Remove this once production is switched over.
-	if c.Publisher != nil && c.TLS.CertFile == nil {
-		c.TLS = cmd.TLSConfig{
-			CertFile:   &c.Publisher.ClientCertificatePath,
-			KeyFile:    &c.Publisher.ClientKeyPath,
-			CACertFile: &c.Publisher.ServerIssuerPath,
-		}
-	}
-
 	var tls *tls.Config
 	var err error
 	if c.TLS.CertFile != nil {
diff --git a/test/config-next/publisher.json b/test/config-next/publisher.json
index a0c2d2b1b..f83b689ab 100644
--- a/test/config-next/publisher.json
+++ b/test/config-next/publisher.json
@@ -5,19 +5,18 @@
     "debugAddr": ":8009",
     "grpc": {
       "address": ":9091",
-      "clientIssuerPath": "test/grpc-creds/minica.pem",
-      "serverCertificatePath": "test/grpc-creds/publisher.boulder/cert.pem",
-      "serverKeyPath": "test/grpc-creds/publisher.boulder/key.pem",
       "clientNames": [
         "ra.boulder",
         "ocsp-updater.boulder"
       ]
     },
+    "tls": {
+      "caCertFile": "test/grpc-creds/minica.pem",
+      "certFile": "test/grpc-creds/publisher.boulder/cert.pem",
+      "keyFile": "test/grpc-creds/publisher.boulder/key.pem"
+    },
     "saService": {
       "serverAddresses": ["sa.boulder:19095"],
-      "serverIssuerPath": "test/grpc-creds/minica.pem",
-      "clientCertificatePath": "test/grpc-creds/publisher.boulder/cert.pem",
-      "clientKeyPath": "test/grpc-creds/publisher.boulder/key.pem",
       "timeout": "15s"
     }
   },
diff --git a/test/config/publisher.json b/test/config/publisher.json
index 4060223a6..5da173a45 100644
--- a/test/config/publisher.json
+++ b/test/config/publisher.json
@@ -3,11 +3,13 @@
     "maxConcurrentRPCServerRequests": 100000,
     "submissionTimeout": "5s",
     "debugAddr": ":8009",
+    "tls": {
+      "caCertFile": "test/grpc-creds/minica.pem",
+      "certFile": "test/grpc-creds/publisher.boulder/cert.pem",
+      "keyFile": "test/grpc-creds/publisher.boulder/key.pem"
+    },
     "grpc": {
       "address": ":9091",
-      "clientIssuerPath": "test/grpc-creds/minica.pem",
-      "serverCertificatePath": "test/grpc-creds/publisher.boulder/cert.pem",
-      "serverKeyPath": "test/grpc-creds/publisher.boulder/key.pem",
       "clientNames": [
         "ra.boulder",
         "ocsp-updater.boulder"
@@ -15,9 +17,6 @@
     },
     "saService": {
       "serverAddresses": ["sa.boulder:19095"],
-      "serverIssuerPath": "test/grpc-creds/minica.pem",
-      "clientCertificatePath": "test/grpc-creds/publisher.boulder/cert.pem",
-      "clientKeyPath": "test/grpc-creds/publisher.boulder/key.pem",
       "timeout": "15s"
     }
   },