CA: Remove deprecated config stanzas (#6595)

These config stanzas have been removed in staging and prod. They used to configure the separate OCSP and CRL gRPC services provided by the CA process, but the CA now provides those services on the same port as the main CA gRPC service. Fixes #6448
2023-04-07 09:37:34 -07:00 · 2023-04-07 09:37:34 -07:00 · e55a276efe
parent 05a4026658
commit e55a276efe
6 changed files with 6 additions and 136 deletions
--- a/ca/ocsp.go
+++ b/ca/ocsp.go
@ -271,35 +271,9 @@ func (olq *ocspLogQueue) stop() {
 	olq.wg.Wait()
 }

-// disabledOCSPImpl implements the capb.OCSPGeneratorServer interface, but
-// returns an error for all gRPC methods. This is only used to replace a real
-// impl when the OCSPGenerator service is disabled.
-// TODO(#6448): Remove this.
-type disabledOCSPImpl struct {
-	capb.UnimplementedOCSPGeneratorServer
-}
-
-// NewDisabledOCSPImpl returns an object which implements the
-// capb.OCSPGeneratorServer interface, but always returns errors.
-func NewDisabledOCSPImpl() *disabledOCSPImpl {
-	return &disabledOCSPImpl{}
-}
-
-// GenerateOCSP always returns an error because the service is disabled.
-func (oi *disabledOCSPImpl) GenerateOCSP(ctx context.Context, req *capb.GenerateOCSPRequest) (*capb.OCSPResponse, error) {
-	return nil, errors.New("the OCSPGenerator gRPC service is disabled")
-}
-
-// LogOCSPLoop is an no-op because there is no OCSP issuance to be logged.
-func (oi *disabledOCSPImpl) LogOCSPLoop() {}
-
-// Stop is a no-op because there is no log loop to be stopped.
-func (oi *disabledOCSPImpl) Stop() {}
-
-// OCSPGenerator is an interface met by both the ocspImpl and disabledOCSPImpl
-// types. It exists only so that the caImpl can equivalently consume either
-// type, depending on whether or not the OCSP Generator service is disabled.
-// TODO(#6448): Remove this.
+// OCSPGenerator is an interface which exposes both the auto-generated gRPC
+// methods and our special-purpose log queue start and stop methods, so that
+// they can be called from main without exporting the ocspImpl type.
 type OCSPGenerator interface {
 	capb.OCSPGeneratorServer
 	LogOCSPLoop()
--- a/cmd/boulder-ca/main.go
+++ b/cmd/boulder-ca/main.go
@ -29,9 +29,6 @@ type Config struct {
 		cmd.HostnamePolicyConfig

 		GRPCCA *cmd.GRPCServerConfig
-		// TODO(#6448): Remove these deprecated server configs.
-		GRPCOCSPGenerator *cmd.GRPCServerConfig
-		GRPCCRLGenerator  *cmd.GRPCServerConfig

 		SAService *cmd.GRPCClientConfig

@ -148,9 +145,6 @@ func main() {
 	caAddr := flag.String("ca-addr", "", "CA gRPC listen address override")
 	debugAddr := flag.String("debug-addr", "", "Debug server address override")
 	configFile := flag.String("config", "", "File path to the configuration file for this service")
-	// TODO(#6448): Remove these deprecated ocsp and crl addr flags.
-	_ = flag.String("ocsp-addr", "", "OCSP gRPC listen address override")
-	_ = flag.String("crl-addr", "", "CRL gRPC listen address override")
 	flag.Parse()
 	if *configFile == "" {
 		flag.Usage()
@ -255,7 +249,7 @@ func main() {

 	srv := bgrpc.NewServer(c.CA.GRPCCA)

-	// TODO(#6448): Remove this predeclaration when NewCertificateAuthorityImpl
+	// TODO(#6285): Remove this predeclaration when NewCertificateAuthorityImpl
 	// no longer needs ocspi as an argument.
 	var ocspi ca.OCSPGenerator
 	if !c.CA.DisableOCSPService {
--- a/test/config/ca-a.json
+++ b/test/config/ca-a.json
@ -34,39 +34,6 @@
 				}
 			}
 		},
-		"grpcOCSPGenerator": {
-			"maxConnectionAge": "30s",
-			"address": ":9096",
-			"services": {
-				"ca.OCSPGenerator": {
-					"clientNames": [
-						"orphan-finder.boulder",
-						"ra.boulder"
-					]
-				},
-				"grpc.health.v1.Health": {
-					"clientNames": [
-						"health-checker.boulder"
-					]
-				}
-			}
-		},
-		"grpcCRLGenerator": {
-			"maxConnectionAge": "30s",
-			"address": ":9106",
-			"services": {
-				"ca.CRLGenerator": {
-					"clientNames": [
-						"crl-updater.boulder"
-					]
-				},
-				"grpc.health.v1.Health": {
-					"clientNames": [
-						"health-checker.boulder"
-					]
-				}
-			}
-		},
 		"saService": {
 			"serverAddress": "sa.service.consul:9095",
 			"timeout": "15s",
--- a/test/config/ca-b.json
+++ b/test/config/ca-b.json
@ -34,39 +34,6 @@
 				}
 			}
 		},
-		"grpcOCSPGenerator": {
-			"maxConnectionAge": "30s",
-			"address": ":9096",
-			"services": {
-				"ca.OCSPGenerator": {
-					"clientNames": [
-						"orphan-finder.boulder",
-						"ra.boulder"
-					]
-				},
-				"grpc.health.v1.Health": {
-					"clientNames": [
-						"health-checker.boulder"
-					]
-				}
-			}
-		},
-		"grpcCRLGenerator": {
-			"maxConnectionAge": "30s",
-			"address": ":9106",
-			"services": {
-				"ca.CRLGenerator": {
-					"clientNames": [
-						"crl-updater.boulder"
-					]
-				},
-				"grpc.health.v1.Health": {
-					"clientNames": [
-						"health-checker.boulder"
-					]
-				}
-			}
-		},
 		"saService": {
 			"serverAddress": "sa.service.consul:9095",
 			"timeout": "15s",
--- a/test/consul/config.hcl
+++ b/test/consul/config.hcl
@ -68,38 +68,6 @@ services {
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
 }

-services {
-  id      = "ca-ocsp-a"
-  name    = "ca-ocsp"
-  address = "10.77.77.77"
-  port    = 9096
-  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
-}
-
-services {
-  id      = "ca-ocsp-b"
-  name    = "ca-ocsp"
-  address = "10.88.88.88"
-  port    = 9096
-  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
-}
-
-services {
-  id      = "ca-crl-a"
-  name    = "ca-crl"
-  address = "10.77.77.77"
-  port    = 9106
-  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
-}
-
-services {
-  id      = "ca-crl-b"
-  name    = "ca-crl"
-  address = "10.88.88.88"
-  port    = 9106
-  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
-}
-
 services {
  id      = "crl-storer-a"
  name    = "crl-storer"
--- a/test/startservers.py
+++ b/test/startservers.py
@ -59,11 +59,11 @@ SERVICES = (
        ('boulder-remoteva-a', 'boulder-remoteva-b')),
    Service('boulder-ca-a',
        8001, 'ca1.service.consul:9093',
-        ('./bin/boulder', 'boulder-ca', '--config', os.path.join(config_dir, 'ca-a.json'), '--ca-addr', 'ca1.service.consul:9093', '--ocsp-addr', 'ca1.service.consul:9096', '--crl-addr', 'ca1.service.consul:9106', '--debug-addr', ':8001'),
+        ('./bin/boulder', 'boulder-ca', '--config', os.path.join(config_dir, 'ca-a.json'), '--ca-addr', 'ca1.service.consul:9093', '--debug-addr', ':8001'),
        ('boulder-sa-1', 'boulder-sa-2')),
    Service('boulder-ca-b',
        8101, 'ca2.service.consul:9093',
-        ('./bin/boulder', 'boulder-ca', '--config', os.path.join(config_dir, 'ca-b.json'), '--ca-addr', 'ca2.service.consul:9093', '--ocsp-addr', 'ca2.service.consul:9096', '--crl-addr', 'ca2.service.consul:9106', '--debug-addr', ':8101'),
+        ('./bin/boulder', 'boulder-ca', '--config', os.path.join(config_dir, 'ca-b.json'), '--ca-addr', 'ca2.service.consul:9093', '--debug-addr', ':8101'),
        ('boulder-sa-1', 'boulder-sa-2')),
    Service('akamai-test-srv',
        6789, None,