From e55a276efef324adf20c6bb47a539b8d1f2473b8 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Fri, 7 Apr 2023 09:37:34 -0700 Subject: [PATCH] CA: Remove deprecated config stanzas (#6595) These config stanzas have been removed in staging and prod. They used to configure the separate OCSP and CRL gRPC services provided by the CA process, but the CA now provides those services on the same port as the main CA gRPC service. Fixes #6448 --- ca/ocsp.go | 32 +++----------------------------- cmd/boulder-ca/main.go | 8 +------- test/config/ca-a.json | 33 --------------------------------- test/config/ca-b.json | 33 --------------------------------- test/consul/config.hcl | 32 -------------------------------- test/startservers.py | 4 ++-- 6 files changed, 6 insertions(+), 136 deletions(-) diff --git a/ca/ocsp.go b/ca/ocsp.go index b90b48e6a..c829d6784 100644 --- a/ca/ocsp.go +++ b/ca/ocsp.go @@ -271,35 +271,9 @@ func (olq *ocspLogQueue) stop() { olq.wg.Wait() } -// disabledOCSPImpl implements the capb.OCSPGeneratorServer interface, but -// returns an error for all gRPC methods. This is only used to replace a real -// impl when the OCSPGenerator service is disabled. -// TODO(#6448): Remove this. -type disabledOCSPImpl struct { - capb.UnimplementedOCSPGeneratorServer -} - -// NewDisabledOCSPImpl returns an object which implements the -// capb.OCSPGeneratorServer interface, but always returns errors. -func NewDisabledOCSPImpl() *disabledOCSPImpl { - return &disabledOCSPImpl{} -} - -// GenerateOCSP always returns an error because the service is disabled. -func (oi *disabledOCSPImpl) GenerateOCSP(ctx context.Context, req *capb.GenerateOCSPRequest) (*capb.OCSPResponse, error) { - return nil, errors.New("the OCSPGenerator gRPC service is disabled") -} - -// LogOCSPLoop is an no-op because there is no OCSP issuance to be logged. -func (oi *disabledOCSPImpl) LogOCSPLoop() {} - -// Stop is a no-op because there is no log loop to be stopped. -func (oi *disabledOCSPImpl) Stop() {} - -// OCSPGenerator is an interface met by both the ocspImpl and disabledOCSPImpl -// types. It exists only so that the caImpl can equivalently consume either -// type, depending on whether or not the OCSP Generator service is disabled. -// TODO(#6448): Remove this. +// OCSPGenerator is an interface which exposes both the auto-generated gRPC +// methods and our special-purpose log queue start and stop methods, so that +// they can be called from main without exporting the ocspImpl type. type OCSPGenerator interface { capb.OCSPGeneratorServer LogOCSPLoop() diff --git a/cmd/boulder-ca/main.go b/cmd/boulder-ca/main.go index 0164738e3..0b4973b8e 100644 --- a/cmd/boulder-ca/main.go +++ b/cmd/boulder-ca/main.go @@ -29,9 +29,6 @@ type Config struct { cmd.HostnamePolicyConfig GRPCCA *cmd.GRPCServerConfig - // TODO(#6448): Remove these deprecated server configs. - GRPCOCSPGenerator *cmd.GRPCServerConfig - GRPCCRLGenerator *cmd.GRPCServerConfig SAService *cmd.GRPCClientConfig @@ -148,9 +145,6 @@ func main() { caAddr := flag.String("ca-addr", "", "CA gRPC listen address override") debugAddr := flag.String("debug-addr", "", "Debug server address override") configFile := flag.String("config", "", "File path to the configuration file for this service") - // TODO(#6448): Remove these deprecated ocsp and crl addr flags. - _ = flag.String("ocsp-addr", "", "OCSP gRPC listen address override") - _ = flag.String("crl-addr", "", "CRL gRPC listen address override") flag.Parse() if *configFile == "" { flag.Usage() @@ -255,7 +249,7 @@ func main() { srv := bgrpc.NewServer(c.CA.GRPCCA) - // TODO(#6448): Remove this predeclaration when NewCertificateAuthorityImpl + // TODO(#6285): Remove this predeclaration when NewCertificateAuthorityImpl // no longer needs ocspi as an argument. var ocspi ca.OCSPGenerator if !c.CA.DisableOCSPService { diff --git a/test/config/ca-a.json b/test/config/ca-a.json index d26336643..8ccb030ce 100644 --- a/test/config/ca-a.json +++ b/test/config/ca-a.json @@ -34,39 +34,6 @@ } } }, - "grpcOCSPGenerator": { - "maxConnectionAge": "30s", - "address": ":9096", - "services": { - "ca.OCSPGenerator": { - "clientNames": [ - "orphan-finder.boulder", - "ra.boulder" - ] - }, - "grpc.health.v1.Health": { - "clientNames": [ - "health-checker.boulder" - ] - } - } - }, - "grpcCRLGenerator": { - "maxConnectionAge": "30s", - "address": ":9106", - "services": { - "ca.CRLGenerator": { - "clientNames": [ - "crl-updater.boulder" - ] - }, - "grpc.health.v1.Health": { - "clientNames": [ - "health-checker.boulder" - ] - } - } - }, "saService": { "serverAddress": "sa.service.consul:9095", "timeout": "15s", diff --git a/test/config/ca-b.json b/test/config/ca-b.json index a2cb52d72..c0c22d383 100644 --- a/test/config/ca-b.json +++ b/test/config/ca-b.json @@ -34,39 +34,6 @@ } } }, - "grpcOCSPGenerator": { - "maxConnectionAge": "30s", - "address": ":9096", - "services": { - "ca.OCSPGenerator": { - "clientNames": [ - "orphan-finder.boulder", - "ra.boulder" - ] - }, - "grpc.health.v1.Health": { - "clientNames": [ - "health-checker.boulder" - ] - } - } - }, - "grpcCRLGenerator": { - "maxConnectionAge": "30s", - "address": ":9106", - "services": { - "ca.CRLGenerator": { - "clientNames": [ - "crl-updater.boulder" - ] - }, - "grpc.health.v1.Health": { - "clientNames": [ - "health-checker.boulder" - ] - } - } - }, "saService": { "serverAddress": "sa.service.consul:9095", "timeout": "15s", diff --git a/test/consul/config.hcl b/test/consul/config.hcl index 736fd111a..c9b558411 100644 --- a/test/consul/config.hcl +++ b/test/consul/config.hcl @@ -68,38 +68,6 @@ services { tags = ["tcp"] // Required for SRV RR support in gRPC DNS resolution. } -services { - id = "ca-ocsp-a" - name = "ca-ocsp" - address = "10.77.77.77" - port = 9096 - tags = ["tcp"] // Required for SRV RR support in gRPC DNS resolution. -} - -services { - id = "ca-ocsp-b" - name = "ca-ocsp" - address = "10.88.88.88" - port = 9096 - tags = ["tcp"] // Required for SRV RR support in gRPC DNS resolution. -} - -services { - id = "ca-crl-a" - name = "ca-crl" - address = "10.77.77.77" - port = 9106 - tags = ["tcp"] // Required for SRV RR support in gRPC DNS resolution. -} - -services { - id = "ca-crl-b" - name = "ca-crl" - address = "10.88.88.88" - port = 9106 - tags = ["tcp"] // Required for SRV RR support in gRPC DNS resolution. -} - services { id = "crl-storer-a" name = "crl-storer" diff --git a/test/startservers.py b/test/startservers.py index a85339777..3f6c0cd20 100644 --- a/test/startservers.py +++ b/test/startservers.py @@ -59,11 +59,11 @@ SERVICES = ( ('boulder-remoteva-a', 'boulder-remoteva-b')), Service('boulder-ca-a', 8001, 'ca1.service.consul:9093', - ('./bin/boulder', 'boulder-ca', '--config', os.path.join(config_dir, 'ca-a.json'), '--ca-addr', 'ca1.service.consul:9093', '--ocsp-addr', 'ca1.service.consul:9096', '--crl-addr', 'ca1.service.consul:9106', '--debug-addr', ':8001'), + ('./bin/boulder', 'boulder-ca', '--config', os.path.join(config_dir, 'ca-a.json'), '--ca-addr', 'ca1.service.consul:9093', '--debug-addr', ':8001'), ('boulder-sa-1', 'boulder-sa-2')), Service('boulder-ca-b', 8101, 'ca2.service.consul:9093', - ('./bin/boulder', 'boulder-ca', '--config', os.path.join(config_dir, 'ca-b.json'), '--ca-addr', 'ca2.service.consul:9093', '--ocsp-addr', 'ca2.service.consul:9096', '--crl-addr', 'ca2.service.consul:9106', '--debug-addr', ':8101'), + ('./bin/boulder', 'boulder-ca', '--config', os.path.join(config_dir, 'ca-b.json'), '--ca-addr', 'ca2.service.consul:9093', '--debug-addr', ':8101'), ('boulder-sa-1', 'boulder-sa-2')), Service('akamai-test-srv', 6789, None,