Change the sleep time between proxy rollout (#2689)

This removes logic from an inner helper method so that it becomes more clear
from callsites within each test exactly which behavior is expected from those
test conditions.

common/src/testing/java/google/registry/testing/truth/TextDiffSubject.java

@@ -35,6 +35,7 @@ import com.google.common.truth.SimpleSubjectBuilder;
 import com.google.common.truth.Subject;
 import java.io.IOException;
 import java.net.URL;
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Comparator;
 import java.util.List;
@@ -63,6 +64,7 @@ public class TextDiffSubject extends Subject {
 
   private final ImmutableList<String> actual;
   private DiffFormat diffFormat = DiffFormat.SIDE_BY_SIDE_MARKDOWN;
+  private List<String> comments = new ArrayList<>();
 
   protected TextDiffSubject(FailureMetadata metadata, List<String> actual) {
     super(metadata, actual);
@@ -83,10 +85,22 @@ public class TextDiffSubject extends Subject {
     return this;
   }
 
+  /** If set, ignore lines that start with the given string. */
+  public TextDiffSubject ignoringLinesThatStartWith(String comment) {
+    comments.add(comment);
+    return this;
+  }
+
+  private ImmutableList<String> filterComments(List<String> lines) {
+    return lines.stream()
+        .filter(line -> comments.stream().noneMatch(line::startsWith))
+        .collect(ImmutableList.toImmutableList());
+  }
+
   public void hasSameContentAs(List<String> expectedContent) {
     checkNotNull(expectedContent, "expectedContent");
-    ImmutableList<String> expected = ImmutableList.copyOf(expectedContent);
-    if (expected.equals(actual)) {
+    ImmutableList<String> expected = filterComments(expectedContent);
+    if (filterComments(expected).equals(filterComments(actual))) {
       return;
     }
     String diffString = diffFormat.generateDiff(expected, actual);

console-webapp/src/app/domains/domainList.component.ts

@@ -76,7 +76,7 @@ enum Operation {
   selector: 'app-reason-dialog',
   template: `
     <h2 mat-dialog-title>
-      Please provide a reason for {{ data.operation }} the domain(s):
+      Please provide the (EPP) reason for {{ data.operation }} the domain(s):
     </h2>
     <mat-dialog-content>
       <mat-form-field appearance="outline" style="width:100%">

console-webapp/src/app/users/userDetails.component.ts

@@ -67,17 +67,24 @@ export class UserDetailsComponent {
   }
 
   deleteUser() {
-    this.isLoading = true;
-    this.usersService.deleteUser(this.userDetails()).subscribe({
-      error: (err) => {
-        this._snackBar.open(err.error || err.message);
-        this.isLoading = false;
-      },
-      complete: () => {
-        this.isLoading = false;
-        this.goBack();
-      },
-    });
+    if (
+      confirm(
+        'This will permanently delete the user ' +
+          this.userDetails().emailAddress
+      )
+    ) {
+      this.isLoading = true;
+      this.usersService.deleteUser(this.userDetails()).subscribe({
+        error: (err) => {
+          this._snackBar.open(err.error || err.message);
+          this.isLoading = false;
+        },
+        complete: () => {
+          this.isLoading = false;
+          this.goBack();
+        },
+      });
+    }
   }
 
   goBack() {

core/src/main/java/google/registry/keyring/api/pgp-private-keyring.asc

@@ -1,32 +0,0 @@
------BEGIN PGP PRIVATE KEY BLOCK-----
-
-lQHYBFo8aRIBBAC8MA2xQXYvEbeLV1iMo4GC3lRFYvrUCarenhwoWufCYH6dGien
-/HhiB0eiDF672J4MtueHQ2M7UaGJgxAoQTG9c6O90vlmFFhPZ967U1MTdY/NLvDK
-bQEGzjdaUC1T/O6kr0O4GHRAyNyHa39Q75Oaj8MNdPsTmT4tDy+aFO6kKwARAQAB
-AAP9Gd59M12tUmEcGxKBwKuFVSkc6oDlvBosG/geJMoCS+0Z2pzK0MPbBJa9mSAc
-MbRgXZ0TDLwNuwzIqO+UXARCQu1ln/NlCcSzQZd5S80Of6CSoFMdFEb0kcpFW3z9
-rpZdIBpNNk2iyBro9+7JOLJgCUkZQX7jy2K4LM5eTJsnuMECANFBnrMUde43XBiT
-gixOJ5zbekGIIGq4QeRc8fJUDUhkFMq1znNriu30bB0Ld4Btlxzyn56tx8DVgx1+
-4anONuECAOY5nm2G9i46AUxQN3dB8IE0SMMHcRcz60eX68fke+1aYjdSQA/nf9hR
-l2f+gX9+y3cPqo7bFZzrDNECRm3J2IsB/2444JDTnzyME99jRYeEZGM0BXMWZEoO
-hLU7f2V8pdN1po6mZ5bZZv6LeTXWPCIqCuBxNHZAV/xH9oWmkpjnw8Sc77QpVGVz
-dCBSZWdpc3RyeSA8dGVzdC1yZWdpc3RyeUBleGFtcGxlLmNvbT6IuAQTAQIAIgUC
-WjxpEgIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQvIOfrLbgEN2NegP+
-JV+i4DxPTv3jfRDcpGy8yDANiIoBFSyARpqMqg0+TfV/UypuyjFTGfnLuQv+osce
-OKtPevH8gCc779+OqtqyNDcPooTG5K+eUYR77PYtfzsKk/Z/33tQtEJDb8WWn4G4
-R9Nh51MOz1X17oe3ih9HNvMGIrOG9VeWPsTxjXAzBoidAdgEWjxpEgEEANiasS9p
-bG53M3jeCwLX0PFgWgspMZl3QnU6bvaTsfMAHaklJ55Tj1wuaaQymHqNm6xElCN8
-MK8exDQQvPZwYVQOuoP3cHriCslLGznB943URcuxXz6R7F7WixYUeVVpQ4J0+gFu
-bR8PfThDCtHQyP+uYx9U+EVWIvuIZIchdjl9ABEBAAEAA/4xmt2sorthIf3g9pL1
-e/jfKoZ8i1rPT1NiNvdeE217neFtEPP9i5vni76ISskGOgN2hH8bkE+y7zwWQ2YP
-FyYGlvVcw2KjT7+SrAWCkgR6Y7hWib+RDcVGje+YH5MxGtBIX2W/zcOW5S9+nC3Q
-Y3Tzc3YQxF8sOeaHvrEb1tJ9eQIA5ivEjt43GgZq0nxacKLhleXyA9Z/JmwDg15z
-FCZCnPABmR72wpXzXe2gO18W3iiqwS/WFDbdSFwxDQ0lXSy8VQIA8Okv6Q2BNXEw
-H0hufK8P7aHvuOI1ll4qTw6QkY+z5hRZAcmmID3boQJeJAmVbUissYKUNJudmiUJ
-DPLQod+wiQIAtJWxlRgHvEHRjQS5tH13ERWLObBHdZcQvKcqdtTCZj1EVH7zVHpb
-qBLggo7QwPJTC+UMf/f4nPd1U2O6zXv66p5liJ8EGAECAAkFAlo8aRICGwwACgkQ
-vIOfrLbgEN141gP9GATYCoihm5igbZ0FL8YPPb5WvHpTEA4WgdIIUUCQ0TYJ2ZOC
-dK0i3qbb1xRRBJq006qSiE4vqQ7fHO8HxmEWaPLlsPvebGm39PUuzVyWx8I2w+0/
-qcxt5L2VVzbZFp6+Yoa+meRYsO77gAzUvqUG1yLWo6MD4pSUNYJA867BB/k=
-=mkAP
------END PGP PRIVATE KEY BLOCK-----

core/src/main/java/google/registry/rdap/RdapJsonFormatter.java

@@ -70,7 +70,7 @@ import google.registry.rdap.RdapObjectClasses.RdapRegistrarEntity;
 import google.registry.rdap.RdapObjectClasses.SecureDns;
 import google.registry.rdap.RdapObjectClasses.Vcard;
 import google.registry.rdap.RdapObjectClasses.VcardArray;
-import google.registry.request.FullServletPath;
+import google.registry.request.RequestServerName;
 import google.registry.util.Clock;
 import jakarta.persistence.Entity;
 import java.net.Inet4Address;
@@ -114,7 +114,7 @@ public class RdapJsonFormatter {
   @Nullable
   String rdapTosStaticUrl;
 
-  @Inject @FullServletPath String fullServletPath;
+  @Inject @RequestServerName String serverName;
   @Inject RdapAuthorization rdapAuthorization;
   @Inject Clock clock;
 
@@ -267,7 +267,7 @@ public class RdapJsonFormatter {
             .setDescription(rdapTos)
             .addLink(selfLink);
     if (rdapTosStaticUrl != null) {
-      URI htmlBaseURI = URI.create(fullServletPath);
+      URI htmlBaseURI = URI.create("https//:" + serverName + "/rdap/");
       URI htmlUri = htmlBaseURI.resolve(rdapTosStaticUrl);
       noticeBuilder.addLink(
           Link.builder()
@@ -1071,7 +1071,7 @@ public class RdapJsonFormatter {
 
   /** Create a link relative to the RDAP server endpoint. */
   String makeRdapServletRelativeUrl(String part, String... moreParts) {
-    return makeServerRelativeUrl(fullServletPath, part, moreParts);
+    return makeServerRelativeUrl("https://" + serverName + "/rdap/", part, moreParts);
   }
 
   /** Create a link relative to some base server */

core/src/main/java/google/registry/request/RequestModule.java

@@ -151,17 +151,9 @@ public final class RequestModule {
    * query string.
    */
   @Provides
-  @FullServletPath
-  static String provideFullServletPath(HttpServletRequest req) {
-    // Include the port only if it differs from the default for the scheme.
-    if (("http".equals(req.getScheme()) && (req.getServerPort() == 80))
-        || ("https".equals(req.getScheme()) && (req.getServerPort() == 443))) {
-      return String.format("%s://%s%s", req.getScheme(), req.getServerName(), req.getServletPath());
-    } else {
-      return String.format(
-          "%s://%s:%d%s",
-          req.getScheme(), req.getServerName(), req.getServerPort(), req.getServletPath());
-    }
+  @RequestServerName
+  static String provideServerName(HttpServletRequest req) {
+    return req.getServerName();
   }
 
   @Provides

core/src/main/java/google/registry/request/RequestServerName.java

@@ -20,11 +20,11 @@ import java.lang.annotation.RetentionPolicy;
 import javax.inject.Qualifier;
 
 /**
- * Dagger qualifier for the HTTP servlet path, prepended with scheme, host and port.
+ * Dagger qualifier for the server name of the HTTP request.
  *
- * <p>See {@link jakarta.servlet.http.HttpServletRequest#getServletPath}
+ * <p>See {@link jakarta.servlet.http.HttpServletRequest#getServerName()}
  */
 @Qualifier
 @Documented
 @Retention(RetentionPolicy.RUNTIME)
-public @interface FullServletPath {}
+public @interface RequestServerName {}

core/src/main/java/google/registry/tools/RegistryCli.java

@@ -25,7 +25,6 @@ import com.beust.jcommander.Parameters;
 import com.beust.jcommander.ParametersDelegate;
 import com.google.common.base.Throwables;
 import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Iterables;
 import google.registry.persistence.transaction.JpaTransactionManager;
 import google.registry.persistence.transaction.TransactionManagerFactory;
@@ -42,13 +41,6 @@ import org.postgresql.util.PSQLException;
 @Parameters(separators = " =", commandDescription = "Command-line interface to the registry")
 final class RegistryCli implements CommandRunner {
 
-  private static final ImmutableSet<RegistryToolEnvironment> DEFAULT_GKE_ENVIRONMENTS =
-      ImmutableSet.of(
-          RegistryToolEnvironment.ALPHA,
-          RegistryToolEnvironment.CRASH,
-          RegistryToolEnvironment.QA,
-          RegistryToolEnvironment.SANDBOX);
-
   // The environment parameter is parsed twice: once here, and once with {@link
   // RegistryToolEnvironment#parseFromArgs} in the {@link RegistryTool#main} function.
   //
@@ -78,9 +70,6 @@ final class RegistryCli implements CommandRunner {
               + "Beam pipelines")
   private String sqlAccessInfoFile = null;
 
-  @Parameter(names = "--gke", description = "Whether to use GKE runtime, instead of GAE")
-  private boolean useGke = false;
-
   @Parameter(names = "--gae", description = "Whether to use GAE runtime, instead of GKE")
   private boolean useGae = false;
 
@@ -161,12 +150,6 @@ final class RegistryCli implements CommandRunner {
       throw e;
     }
 
-    checkState(!useGke || !useGae, "Cannot specify both --gke and --gae");
-    // Special logic to set the default based on the environment if neither --gae nor --gke is set.
-    if (!useGke && !useGae) {
-      useGke = DEFAULT_GKE_ENVIRONMENTS.contains(environment);
-    }
-
     String parsedCommand = jcommander.getParsedCommand();
     // Show the list of all commands either if requested or if no subcommand name was specified
     // (which does not throw a ParameterException parse error above).
@@ -186,7 +169,7 @@ final class RegistryCli implements CommandRunner {
         DaggerRegistryToolComponent.builder()
             .credentialFilePath(credentialJson)
             .sqlAccessInfoFile(sqlAccessInfoFile)
-            .useGke(useGke)
+            .useGke(!useGae)
             .useCanary(useCanary)
             .build();
 

core/src/test/java/google/registry/flows/domain/DomainCreateFlowTest.java

@@ -161,8 +161,6 @@ import google.registry.model.common.FeatureFlag;
 import google.registry.model.domain.Domain;
 import google.registry.model.domain.DomainHistory;
 import google.registry.model.domain.GracePeriod;
-import google.registry.model.domain.fee.BaseFee.FeeType;
-import google.registry.model.domain.fee.Fee;
 import google.registry.model.domain.fee.FeeQueryCommandExtensionItem.CommandName;
 import google.registry.model.domain.launch.LaunchNotice;
 import google.registry.model.domain.rgp.GracePeriodStatus;
@@ -287,59 +285,45 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
     persistContactsAndHosts("net"); // domain_create.xml uses hosts on "net".
   }
 
+  private void assertSuccessfulCreate(String domainTld, ImmutableSet<Flag> expectedBillingFlags)
+      throws Exception {
+    assertSuccessfulCreate(domainTld, expectedBillingFlags, null, 24, null);
+  }
+
   private void assertSuccessfulCreate(
-      String domainTld, ImmutableSet<BillingBase.Flag> expectedBillingFlags) throws Exception {
-    assertSuccessfulCreate(domainTld, expectedBillingFlags, null);
+      String domainTld, ImmutableSet<Flag> expectedBillingFlags, double createCost)
+      throws Exception {
+    assertSuccessfulCreate(domainTld, expectedBillingFlags, null, createCost, null);
+  }
+
+  private void assertSuccessfulCreate(
+      String domainTld, ImmutableSet<Flag> expectedBillingFlags, AllocationToken token)
+      throws Exception {
+    assertSuccessfulCreate(domainTld, expectedBillingFlags, token, 24, null);
   }
 
   private void assertSuccessfulCreate(
       String domainTld,
-      ImmutableSet<BillingBase.Flag> expectedBillingFlags,
-      @Nullable AllocationToken allocationToken)
+      ImmutableSet<Flag> expectedBillingFlags,
+      AllocationToken token,
+      double createCost)
+      throws Exception {
+    assertSuccessfulCreate(domainTld, expectedBillingFlags, token, createCost, null);
+  }
+
+  private void assertSuccessfulCreate(
+      String domainTld,
+      ImmutableSet<Flag> expectedBillingFlags,
+      @Nullable AllocationToken token,
+      double createCost,
+      @Nullable Integer specifiedRenewCost)
       throws Exception {
     Domain domain = reloadResourceByForeignKey();
 
     boolean isAnchorTenant = expectedBillingFlags.contains(ANCHOR_TENANT);
     // Set up the creation cost.
     boolean isDomainPremium = isDomainPremium(getUniqueIdFromCommand(), clock.nowUtc());
-    BigDecimal createCost = isDomainPremium ? BigDecimal.valueOf(200) : BigDecimal.valueOf(24);
-    if (isAnchorTenant) {
-      createCost = BigDecimal.ZERO;
-    }
-    if (expectedBillingFlags.contains(SUNRISE)) {
-      createCost =
-          createCost.multiply(
-              BigDecimal.valueOf(1 - RegistryConfig.getSunriseDomainCreateDiscount()));
-    }
-    if (allocationToken != null) {
-      if (allocationToken
-          .getRegistrationBehavior()
-          .equals(RegistrationBehavior.NONPREMIUM_CREATE)) {
-        createCost =
-            createCost.subtract(
-                BigDecimal.valueOf(isDomainPremium ? 87 : 0)); // premium is 100, standard 13
-      }
-      if (allocationToken.getRenewalPriceBehavior().equals(NONPREMIUM)) {
-        createCost =
-            createCost.subtract(
-                BigDecimal.valueOf(isDomainPremium ? 89 : 0)); // premium is 100, standard 11
-      }
-      if (allocationToken.getRenewalPriceBehavior().equals(SPECIFIED)) {
-        createCost =
-            createCost
-                .subtract(BigDecimal.valueOf(isDomainPremium ? 100 : 11))
-                .add(allocationToken.getRenewalPrice().get().getAmount());
-      }
-    }
-    FeesAndCredits feesAndCredits =
-        new FeesAndCredits.Builder()
-            .setCurrency(USD)
-            .addFeeOrCredit(
-                Fee.create(
-                    createCost,
-                    FeeType.CREATE,
-                    isDomainPremium(getUniqueIdFromCommand(), clock.nowUtc())))
-            .build();
+
     Money eapFee =
         Money.of(
             Tld.get(domainTld).getCurrency(),
@@ -362,7 +346,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
     RenewalPriceBehavior expectedRenewalPriceBehavior =
         isAnchorTenant
             ? RenewalPriceBehavior.NONPREMIUM
-            : Optional.ofNullable(allocationToken)
+            : Optional.ofNullable(token)
                 .map(AllocationToken::getRenewalPriceBehavior)
                 .orElse(RenewalPriceBehavior.DEFAULT);
     // There should be one bill for the create and one for the recurrence autorenew event.
@@ -371,13 +355,13 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
             .setReason(Reason.CREATE)
             .setTargetId(getUniqueIdFromCommand())
             .setRegistrarId("TheRegistrar")
-            .setCost(feesAndCredits.getCreateCost())
+            .setCost(Money.of(USD, BigDecimal.valueOf(createCost)))
             .setPeriodYears(2)
             .setEventTime(clock.nowUtc())
             .setBillingTime(billingTime)
             .setFlags(expectedBillingFlags)
             .setDomainHistory(historyEntry)
-            .setAllocationToken(allocationToken == null ? null : allocationToken.createVKey())
+            .setAllocationToken(Optional.ofNullable(token).map(t -> t.createVKey()).orElse(null))
             .build();
 
     BillingRecurrence renewBillingEvent =
@@ -391,8 +375,8 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
             .setDomainHistory(historyEntry)
             .setRenewalPriceBehavior(expectedRenewalPriceBehavior)
             .setRenewalPrice(
-                Optional.ofNullable(allocationToken)
-                    .flatMap(AllocationToken::getRenewalPrice)
+                Optional.ofNullable(specifiedRenewCost)
+                    .map(r -> Money.of(USD, BigDecimal.valueOf(r)))
                     .orElse(null))
             .build();
 
@@ -480,7 +464,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
     assertMutatingFlow(true);
     runFlowAssertResponse(
         CommitMode.LIVE, userPrivileges, loadFile(responseXmlFile, substitutions));
-    assertSuccessfulCreate(domainTld, ImmutableSet.of());
+    assertSuccessfulCreate(domainTld, ImmutableSet.of(), 24);
     assertNoLordn();
   }
 
@@ -886,10 +870,14 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
                     clock.nowUtc().plusDays(1),
                     Money.of(USD, 0)))
             .build());
-    doSuccessfulTest(
-        "example",
-        "domain_create_response_premium_eap.xml",
-        ImmutableMap.of("DOMAIN", "rich.example"));
+    assertMutatingFlow(true);
+    runFlowAssertResponse(
+        CommitMode.LIVE,
+        UserPrivileges.NORMAL,
+        loadFile(
+            "domain_create_response_premium_eap.xml", ImmutableMap.of("DOMAIN", "rich.example")));
+    assertSuccessfulCreate("example", ImmutableSet.of(), 200);
+    assertNoLordn();
   }
 
   /**
@@ -1336,7 +1324,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
     setEppInput("domain_create_anchor_allocationtoken.xml");
     persistContactsAndHosts();
     runFlowAssertResponse(loadFile("domain_create_anchor_response.xml"));
-    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), allocationToken);
+    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), allocationToken, 0);
     assertNoLordn();
     assertAllocationTokenWasRedeemed("abcDEF23456");
   }
@@ -1350,7 +1338,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
                 .setTokenType(SINGLE_USE)
                 .setDomainName("resdom.tld")
                 .setRenewalPriceBehavior(SPECIFIED)
-                .setRenewalPrice(Money.of(USD, 0))
+                .setRenewalPrice(Money.of(USD, 1))
                 .build());
     // Despite the domain being FULLY_BLOCKED, the non-superuser create succeeds the domain is also
     // RESERVED_FOR_SPECIFIC_USE and the correct allocation token is passed.
@@ -1359,7 +1347,8 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
     persistContactsAndHosts();
     runFlowAssertResponse(
         loadFile("domain_create_response.xml", ImmutableMap.of("DOMAIN", "resdom.tld")));
-    assertSuccessfulCreate("tld", ImmutableSet.of(RESERVED), allocationToken);
+    // $13 for the first year plus $1 renewal for the second year =
+    assertSuccessfulCreate("tld", ImmutableSet.of(RESERVED), allocationToken, 14, 1);
     assertNoLordn();
     assertAllocationTokenWasRedeemed("abc123");
   }
@@ -1379,7 +1368,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
     setEppInput("domain_create_anchor_allocationtoken.xml");
     persistContactsAndHosts();
     runFlowAssertResponse(loadFile("domain_create_anchor_response.xml"));
-    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), allocationToken);
+    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), allocationToken, 0);
     assertNoLordn();
     assertAllocationTokenWasRedeemed("abcDEF23456");
   }
@@ -1402,7 +1391,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
     clock.setTo(DateTime.parse("2009-08-16T09:00:00.0Z"));
     persistContactsAndHosts();
     runFlowAssertResponse(loadFile("domain_create_response_claims.xml"));
-    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), allocationToken);
+    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), allocationToken, 0);
     assertDomainDnsRequests("example-one.tld");
     assertClaimsLordn();
     assertAllocationTokenWasRedeemed("abcDEF23456");
@@ -1415,7 +1404,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
     persistContactsAndHosts();
     runFlowAssertResponse(
         loadFile("domain_create_response.xml", ImmutableMap.of("DOMAIN", "example.tld")));
-    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT));
+    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), 0);
     assertNoLordn();
   }
 
@@ -1450,7 +1439,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
                 SMD_VALID_TIME.toString(),
                 "EXPIRATION_TIME",
                 SMD_VALID_TIME.plusYears(2).toString())));
-    assertSuccessfulCreate("tld", ImmutableSet.of(SUNRISE, ANCHOR_TENANT));
+    assertSuccessfulCreate("tld", ImmutableSet.of(SUNRISE, ANCHOR_TENANT), 0);
   }
 
   @Test
@@ -1482,7 +1471,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
                 SMD_VALID_TIME.toString(),
                 "EXPIRATION_TIME",
                 SMD_VALID_TIME.plusYears(2).toString())));
-    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT, SUNRISE), allocationToken);
+    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT, SUNRISE), allocationToken, 0);
     assertDomainDnsRequests("test-validate.tld");
     assertSunriseLordn();
     assertAllocationTokenWasRedeemed("abcDEF23456");
@@ -1505,7 +1494,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
     setEppInput("domain_create_anchor_allocationtoken.xml");
     persistContactsAndHosts();
     runFlowAssertResponse(loadFile("domain_create_anchor_response.xml"));
-    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), allocationToken);
+    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), allocationToken, 0);
     assertNoLordn();
     assertAllocationTokenWasRedeemed("abcDEF23456");
   }
@@ -1929,7 +1918,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
         loadFile(
             "domain_create_response_premium.xml",
             ImmutableMap.of("EXDATE", "2001-04-03T22:00:00.0Z", "FEE", "200.00")));
-    assertSuccessfulCreate("example", ImmutableSet.of());
+    assertSuccessfulCreate("example", ImmutableSet.of(), 200);
   }
 
   private BillingEvent runTest_defaultToken(String token) throws Exception {
@@ -2148,7 +2137,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
         loadFile(
             "domain_create_response_premium.xml",
             ImmutableMap.of("EXDATE", "2001-04-03T22:00:00.0Z", "FEE", "200.00")));
-    assertSuccessfulCreate("example", ImmutableSet.of());
+    assertSuccessfulCreate("example", ImmutableSet.of(), 200);
   }
 
   @Test
@@ -2572,7 +2561,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
     persistContactsAndHosts();
     persistBsaLabel("anchor");
     runFlowAssertResponse(loadFile("domain_create_anchor_response.xml"));
-    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), allocationToken);
+    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), allocationToken, 0);
     assertNoLordn();
     assertAllocationTokenWasRedeemed("abcDEF23456");
   }
@@ -2738,7 +2727,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
                 SMD_VALID_TIME.toString(),
                 "EXPIRATION_TIME",
                 SMD_VALID_TIME.plusYears(2).toString())));
-    assertSuccessfulCreate("tld", ImmutableSet.of(SUNRISE));
+    assertSuccessfulCreate("tld", ImmutableSet.of(SUNRISE), 20.40);
     assertSunriseLordn();
   }
 
@@ -2761,7 +2750,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
                 SMD_VALID_TIME.toString(),
                 "EXPIRATION_TIME",
                 SMD_VALID_TIME.plusYears(2).toString())));
-    assertSuccessfulCreate("tld", ImmutableSet.of(SUNRISE));
+    assertSuccessfulCreate("tld", ImmutableSet.of(SUNRISE), 20.40);
     assertSunriseLordn();
   }
 
@@ -3245,7 +3234,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
         "domain_create_allocationtoken.xml",
         ImmutableMap.of("DOMAIN", "example.tld", "YEARS", "2"));
     runFlow();
-    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), token);
+    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), token, 0);
   }
 
   @Test
@@ -3265,7 +3254,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
         "domain_create_premium_allocationtoken.xml",
         ImmutableMap.of("YEARS", "2", "FEE", "111.00"));
     runFlow();
-    assertSuccessfulCreate("example", ImmutableSet.of(), token);
+    assertSuccessfulCreate("example", ImmutableSet.of(), token, 111);
   }
 
   @Test
@@ -3286,7 +3275,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
         "domain_create_premium_allocationtoken.xml",
         ImmutableMap.of("YEARS", "2", "FEE", "101.00"));
     runFlow();
-    assertSuccessfulCreate("example", ImmutableSet.of(), token);
+    assertSuccessfulCreate("example", ImmutableSet.of(), token, 101, 1);
   }
 
   @Test
@@ -3438,7 +3427,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
         ImmutableMap.of("DOMAIN", "example.tld", "YEARS", "2"));
     persistContactsAndHosts();
     runFlow();
-    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), token);
+    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), token, 0);
   }
 
   @Test
@@ -3492,7 +3481,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
         "domain_create_allocationtoken.xml",
         ImmutableMap.of("DOMAIN", "example.tld", "YEARS", "2"));
     runFlow();
-    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), token);
+    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), token, 0);
   }
 
   @Test
@@ -3510,7 +3499,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
             .build());
     persistContactsAndHosts();
     runFlow();
-    assertSuccessfulCreate("tld", ImmutableSet.of(SUNRISE, ANCHOR_TENANT), allocationToken);
+    assertSuccessfulCreate("tld", ImmutableSet.of(SUNRISE, ANCHOR_TENANT), allocationToken, 0);
   }
 
   @Test
@@ -3572,7 +3561,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
         "domain_create_allocationtoken.xml",
         ImmutableMap.of("DOMAIN", "example.tld", "YEARS", "2"));
     runFlow();
-    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), token);
+    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), token, 0);
   }
 
   @Test
@@ -3599,7 +3588,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
     setEppInput("domain_create_allocationtoken_claims.xml");
     persistContactsAndHosts();
     runFlow();
-    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), allocationToken);
+    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), allocationToken, 0);
   }
 
   @Test
@@ -3649,7 +3638,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
         "domain_create_allocationtoken.xml",
         ImmutableMap.of("DOMAIN", "example.tld", "YEARS", "2"));
     runFlow();
-    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), token);
+    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), token, 0);
   }
 
   @Test
@@ -3663,7 +3652,7 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
     setEppInput("domain_create_allocationtoken_claims.xml");
     persistContactsAndHosts();
     runFlow();
-    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), allocationToken);
+    assertSuccessfulCreate("tld", ImmutableSet.of(ANCHOR_TENANT), allocationToken, 0);
   }
 
   @Test

core/src/test/java/google/registry/rdap/RdapJsonFormatterTest.java

@@ -406,26 +406,6 @@ class RdapJsonFormatterTest {
         .isEqualTo(loadJson("rdapjson_registrant_logged_out.json"));
   }
 
-  @Test
-  void testRegistrant_baseHasNoTrailingSlash() {
-    // First, make sure we have a trailing slash at the end by default!
-    // This test tries to change the default state, if the default doesn't have a /, then this test
-    // doesn't help.
-    assertThat(rdapJsonFormatter.fullServletPath).endsWith("/");
-    rdapJsonFormatter.fullServletPath =
-        rdapJsonFormatter.fullServletPath.substring(
-            0, rdapJsonFormatter.fullServletPath.length() - 1);
-    assertAboutJson()
-        .that(
-            rdapJsonFormatter
-                .createRdapContactEntity(
-                    contactRegistrant,
-                    ImmutableSet.of(RdapEntity.Role.REGISTRANT),
-                    OutputDataType.FULL)
-                .toJson())
-        .isEqualTo(loadJson("rdapjson_registrant.json"));
-  }
-
   @Test
   void testAdmin() {
     assertAboutJson()

core/src/test/java/google/registry/rdap/RdapTestHelper.java

@@ -150,7 +150,7 @@ class RdapTestHelper {
   static RdapJsonFormatter getTestRdapJsonFormatter(Clock clock) {
     RdapJsonFormatter rdapJsonFormatter = new RdapJsonFormatter();
     rdapJsonFormatter.rdapAuthorization = RdapAuthorization.PUBLIC_AUTHORIZATION;
-    rdapJsonFormatter.fullServletPath = "https://example.tld/rdap/";
+    rdapJsonFormatter.serverName = "example.tld";
     rdapJsonFormatter.clock = clock;
     rdapJsonFormatter.rdapTos =
         ImmutableList.of(

db/src/main/java/google/registry/persistence/NomulusPostgreSql.java

@@ -23,7 +23,7 @@ public class NomulusPostgreSql {
 
   /** The current PostgreSql version in Cloud SQL. */
   // TODO(weiminyu): setup periodic checks to detect version changes in Cloud SQL.
-  private static final String TARGET_VERSION = "11.21-alpine";
+  private static final String TARGET_VERSION = "17-alpine";
 
   /**
    * Returns the docker image of the targeted Postgresql server version.

db/src/main/resources/sql/er_diagram/brief_er_diagram.html

@@ -257,11 +257,11 @@ td.section {
    <tbody>
     <tr>
      <td class="property_name">generated by</td>
-     <td class="property_value">SchemaCrawler 16.23.2</td>
+     <td class="property_value">SchemaCrawler 16.25.2</td>
     </tr>
     <tr>
      <td class="property_name">generated on</td>
-     <td class="property_value">2024-12-09 22:31:09</td>
+     <td class="property_value">2025-02-16 20:10:13</td>
     </tr>
     <tr>
      <td class="property_name">last flyway file</td>
@@ -278,9 +278,9 @@ td.section {
     </title>
     <polygon fill="white" stroke="transparent" points="-4,4 -4,-3577.64 4860,-3577.64 4860,4 -4,4" />
     <text text-anchor="start" x="4616" y="-29.8" font-family="Helvetica,sans-Serif" font-size="14.00">generated by</text>
-    <text text-anchor="start" x="4699" y="-29.8" font-family="Helvetica,sans-Serif" font-size="14.00">SchemaCrawler 16.23.2</text>
+    <text text-anchor="start" x="4699" y="-29.8" font-family="Helvetica,sans-Serif" font-size="14.00">SchemaCrawler 16.25.2</text>
     <text text-anchor="start" x="4615" y="-10.8" font-family="Helvetica,sans-Serif" font-size="14.00">generated on</text>
-    <text text-anchor="start" x="4699" y="-10.8" font-family="Helvetica,sans-Serif" font-size="14.00">2024-12-09 22:31:09</text>
+    <text text-anchor="start" x="4699" y="-10.8" font-family="Helvetica,sans-Serif" font-size="14.00">2025-02-16 20:10:13</text>
     <polygon fill="none" stroke="#888888" points="4612,-4 4612,-44 4848,-44 4848,-4 4612,-4" /> <!-- allocationtoken_a08ccbef -->
     <g id="node1" class="node">
      <title>
@@ -2716,6 +2716,11 @@ td.section {
      <td class="minwidth">recurrence_last_expansion</td>
      <td class="minwidth">timestamptz not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default '2021-05-31 20:00:00-04'::timestamp with time zone</td>
+    </tr>
     <tr>
      <td colspan="3"></td>
     </tr>
@@ -2825,6 +2830,11 @@ td.section {
      <td class="minwidth"><b><i>job_id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"BsaDomainRefresh_job_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -2861,6 +2871,11 @@ td.section {
      <td class="minwidth"><b><i>job_id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"BsaDownload_job_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -3069,6 +3084,11 @@ td.section {
      <td class="minwidth"><b><i>revision_id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"ClaimsList_revision_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -3639,6 +3659,11 @@ td.section {
      <td class="minwidth"><b><i>id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"DnsRefreshRequest_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -3785,6 +3810,11 @@ td.section {
      <td class="minwidth">lordn_phase</td>
      <td class="minwidth">text not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default 'NONE'::text</td>
+    </tr>
     <tr>
      <td colspan="3"></td>
     </tr>
@@ -4334,6 +4364,11 @@ td.section {
      <td class="minwidth"><b><i>id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"DomainTransactionRecord_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -4895,6 +4930,11 @@ td.section {
      <td class="minwidth"><b><i>package_promotion_id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"Package_promotion_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -5188,6 +5228,11 @@ td.section {
      <td class="minwidth"><b><i>revision_id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"PremiumList_revision_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -5873,6 +5918,11 @@ td.section {
      <td class="minwidth"><b><i>revision_id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"RegistryLock_revision_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -6006,6 +6056,11 @@ td.section {
      <td class="minwidth"><b><i>revision_id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"ReservedList_revision_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -6065,6 +6120,11 @@ td.section {
      <td class="minwidth"><b><i>id</i></b></td>
      <td class="minwidth">int8 not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default 1</td>
+    </tr>
     <tr>
      <td colspan="3"></td>
     </tr>
@@ -6155,6 +6215,11 @@ td.section {
      <td class="minwidth"><b><i>revision_id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"SignedMarkRevocationList_revision_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -6209,6 +6274,11 @@ td.section {
      <td class="minwidth"><b><i>id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"SafeBrowsingThreat_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -6321,6 +6391,11 @@ td.section {
      <td class="minwidth"><b><i>id</i></b></td>
      <td class="minwidth">int8 not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default 1</td>
+    </tr>
     <tr>
      <td colspan="3"></td>
     </tr>

db/src/main/resources/sql/er_diagram/full_er_diagram.html

@@ -257,11 +257,11 @@ td.section {
    <tbody>
     <tr>
      <td class="property_name">generated by</td>
-     <td class="property_value">SchemaCrawler 16.23.2</td>
+     <td class="property_value">SchemaCrawler 16.25.2</td>
     </tr>
     <tr>
      <td class="property_name">generated on</td>
-     <td class="property_value">2024-12-09 22:31:07</td>
+     <td class="property_value">2025-02-16 20:10:10</td>
     </tr>
     <tr>
      <td class="property_name">last flyway file</td>
@@ -278,9 +278,9 @@ td.section {
     </title>
     <polygon fill="white" stroke="transparent" points="-4,4 -4,-7933.5 5565,-7933.5 5565,4 -4,4" />
     <text text-anchor="start" x="5321" y="-29.8" font-family="Helvetica,sans-Serif" font-size="14.00">generated by</text>
-    <text text-anchor="start" x="5404" y="-29.8" font-family="Helvetica,sans-Serif" font-size="14.00">SchemaCrawler 16.23.2</text>
+    <text text-anchor="start" x="5404" y="-29.8" font-family="Helvetica,sans-Serif" font-size="14.00">SchemaCrawler 16.25.2</text>
     <text text-anchor="start" x="5320" y="-10.8" font-family="Helvetica,sans-Serif" font-size="14.00">generated on</text>
-    <text text-anchor="start" x="5404" y="-10.8" font-family="Helvetica,sans-Serif" font-size="14.00">2024-12-09 22:31:07</text>
+    <text text-anchor="start" x="5404" y="-10.8" font-family="Helvetica,sans-Serif" font-size="14.00">2025-02-16 20:10:10</text>
     <polygon fill="none" stroke="#888888" points="5317,-4 5317,-44 5553,-44 5553,-4 5317,-4" /> <!-- allocationtoken_a08ccbef -->
     <g id="node1" class="node">
      <title>
@@ -3986,11 +3986,21 @@ td.section {
      <td class="minwidth">renewal_price_behavior</td>
      <td class="minwidth">text not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default 'DEFAULT'::text</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth">registration_behavior</td>
      <td class="minwidth">text not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default 'DEFAULT'::text</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth">allowed_epp_actions</td>
@@ -4755,6 +4765,11 @@ td.section {
      <td class="minwidth">renewal_price_behavior</td>
      <td class="minwidth">text not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default 'DEFAULT'::text</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth">renewal_price_currency</td>
@@ -4770,6 +4785,11 @@ td.section {
      <td class="minwidth">recurrence_last_expansion</td>
      <td class="minwidth">timestamptz not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default '2021-05-31 20:00:00-04'::timestamp with time zone</td>
+    </tr>
     <tr>
      <td colspan="3"></td>
     </tr>
@@ -4986,6 +5006,11 @@ td.section {
      <td class="minwidth"><b><i>job_id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"BsaDomainRefresh_job_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -5055,6 +5080,11 @@ td.section {
      <td class="minwidth"><b><i>job_id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"BsaDownload_job_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -5392,6 +5422,11 @@ td.section {
      <td class="minwidth"><b><i>revision_id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"ClaimsList_revision_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -6866,6 +6901,11 @@ td.section {
      <td class="minwidth"><b><i>id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"DnsRefreshRequest_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -7224,6 +7264,11 @@ td.section {
      <td class="minwidth">lordn_phase</td>
      <td class="minwidth">text not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default 'NONE'::text</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth">last_update_time_via_epp</td>
@@ -8154,6 +8199,11 @@ td.section {
      <td class="minwidth">lordn_phase</td>
      <td class="minwidth">text not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default 'NONE'::text</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth">last_update_time_via_epp</td>
@@ -8494,6 +8544,11 @@ td.section {
      <td class="minwidth"><b><i>id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"DomainTransactionRecord_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -9622,6 +9677,11 @@ td.section {
      <td class="minwidth"><b><i>package_promotion_id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"Package_promotion_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -10154,6 +10214,11 @@ td.section {
      <td class="minwidth"><b><i>revision_id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"PremiumList_revision_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -11688,6 +11753,11 @@ td.section {
      <td class="minwidth"><b><i>revision_id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"RegistryLock_revision_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -11958,6 +12028,11 @@ td.section {
      <td class="minwidth"><b><i>revision_id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"ReservedList_revision_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -12057,6 +12132,11 @@ td.section {
      <td class="minwidth"><b><i>id</i></b></td>
      <td class="minwidth">int8 not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default 1</td>
+    </tr>
     <tr>
      <td colspan="3"></td>
     </tr>
@@ -12193,6 +12273,11 @@ td.section {
      <td class="minwidth"><b><i>revision_id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"SignedMarkRevocationList_revision_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -12270,6 +12355,11 @@ td.section {
      <td class="minwidth"><b><i>id</i></b></td>
      <td class="minwidth">bigserial not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default nextval('"SafeBrowsingThreat_id_seq"'::regclass)</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth"></td>
@@ -12595,6 +12685,11 @@ td.section {
      <td class="minwidth">breakglass_mode</td>
      <td class="minwidth">bool not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default false</td>
+    </tr>
     <tr>
      <td class="spacer"></td>
      <td class="minwidth">bsa_enroll_start_time</td>
@@ -12699,6 +12794,11 @@ td.section {
      <td class="minwidth"><b><i>id</i></b></td>
      <td class="minwidth">int8 not null</td>
     </tr>
+    <tr>
+     <td class="spacer"></td>
+     <td class="minwidth"></td>
+     <td class="minwidth">default 1</td>
+    </tr>
     <tr>
      <td colspan="3"></td>
     </tr>

db/src/main/resources/sql/schema/nomulus.golden.sql

@@ -2,12 +2,13 @@
 -- PostgreSQL database dump
 --
 
--- Dumped from database version 11.21
--- Dumped by pg_dump version 11.21
+-- Dumped from database version 17.4
+-- Dumped by pg_dump version 17.4
 
 SET statement_timeout = 0;
 SET lock_timeout = 0;
 SET idle_in_transaction_session_timeout = 0;
+SET transaction_timeout = 0;
 SET client_encoding = 'UTF8';
 SET standard_conforming_strings = on;
 SELECT pg_catalog.set_config('search_path', '', false);
@@ -32,7 +33,7 @@ COMMENT ON EXTENSION hstore IS 'data type for storing sets of (key, value) pairs
 
 SET default_tablespace = '';
 
-SET default_with_oids = false;
+SET default_table_access_method = heap;
 
 --
 -- Name: AllocationToken; Type: TABLE; Schema: public; Owner: -

db/src/test/java/google/registry/sql/flyway/SchemaTest.java

@@ -115,6 +115,7 @@ class SchemaTest {
             Joiner.on(File.separatorChar).join(MOUNTED_RESOURCE_PATH, DUMP_OUTPUT_FILE));
 
     assertThat(dumpedSchema)
+        .ignoringLinesThatStartWith("--")
         .hasSameContentAs(Resources.getResource("sql/schema/nomulus.golden.sql"));
   }
 

jetty/deploy-nomulus-for-env.sh

@@ -37,15 +37,19 @@ for service in frontend backend pubapi console
 do
   sed s/GCP_PROJECT/"${project}"/g "./kubernetes/nomulus-${service}.yaml" | \
   sed s/ENVIRONMENT/"${environment}"/g | \
+  sed s/PROXY_ENV/"${environment}"/g | \
+  sed s/EPP/"epp"/g | \
   kubectl apply -f -
+  kubectl rollout restart deployment/${service}
   # canary
   sed s/GCP_PROJECT/"${project}"/g "./kubernetes/nomulus-${service}.yaml" | \
   sed s/ENVIRONMENT/"${environment}"/g | \
+  sed s/PROXY_ENV/"${environment}_canary"/g | \
+  sed s/EPP/"epp-canary"/g | \
   sed s/"${service}"/"${service}-canary"/g | \
   kubectl apply -f -
+  kubectl rollout restart deployment/${service}-canary
 done
-# Kills all running pods, new pods created will be pulling the new image.
-kubectl delete pods --all
 kubectl apply -f "./kubernetes/gateway/nomulus-gateway.yaml"
 kubectl apply -f "./kubernetes/gateway/nomulus-iap-${environment}.yaml"
 for service in frontend backend console pubapi
@@ -57,4 +61,16 @@ do
   sed s/SERVICE/"${service}-canary"/g "./kubernetes/gateway/nomulus-backend-policy-${environment}.yaml" | \
   kubectl apply -f -
 done
+
+# Restart proxies
+while read line
+do
+  parts=(${line})
+  echo "Updating cluster ${parts[0]} in location ${parts[1]}..."
+  gcloud container clusters get-credentials ${parts[0]} \
+    --project ${project} --location ${parts[1]}
+  kubectl rollout restart deployment/proxy-deployment
+  kubectl rollout restart deployment/proxy-deployment-canary
+done < <(gcloud container clusters list --project ${project} | grep proxy-cluster)
+
 kubectl config use-context "$current_context"

jetty/get-endpoints.py

@@ -1,158 +0,0 @@
-#! /bin/env python3
-# Copyright 2024 The Nomulus Authors. All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-'''
-A script that outputs the IP endpoints of various load balancers, to be run
-after Nomulus is deployed.
-'''
-
-import ipaddress
-import json
-import subprocess
-import sys
-from dataclasses import dataclass
-from ipaddress import IPv4Address
-from ipaddress import IPv6Address
-from operator import attrgetter
-from operator import methodcaller
-
-
-class PreserveContext:
-    def __enter__(self):
-        self._context = run_command('kubectl config current-context')
-
-    def __exit__(self, type, value, traceback):
-        run_command('kubectl config use-context ' + self._context)
-
-
-class UseCluster(PreserveContext):
-    def __init__(self, cluster: str, region: str, project: str):
-        self._cluster = cluster
-        self._region = region
-        self._project = project
-
-    def __enter__(self):
-        super().__enter__()
-        cmd = (f'gcloud container fleet memberships get-credentials'
-                   f' {self._cluster} --project {self._project}')
-        run_command(cmd)
-
-
-def run_command(cmd: str, print_output=False) -> str:
-    proc = subprocess.run(cmd, text=True, shell=True, stdout=subprocess.PIPE,
-                          stderr=subprocess.STDOUT)
-    if print_output:
-        print(proc.stdout)
-    return proc.stdout
-
-
-def get_clusters(project: str) -> dict[str, str]:
-    cmd = f'gcloud container clusters list --project {project} --format=json'
-    content = json.loads(run_command(cmd))
-    res = {}
-    for item in content:
-        name = item['name']
-        region = item['location']
-        if not name.startswith('nomulus-cluster'):
-            continue
-        res[name] = region
-    return res
-
-
-def get_endpoints(resource: str, service: str, jsonpath: str) -> list[
-    str]:
-    content = run_command(
-            f'kubectl get {resource}/{service} -o jsonpath={jsonpath}', )
-    return content.split()
-
-
-def get_region_symbol(region: str) -> str:
-    if region.startswith('us'):
-        return 'amer'
-    if region.startswith('europe'):
-        return 'emea'
-    if region.startswith('asia'):
-        return 'apac'
-    return 'other'
-
-
-@dataclass
-class IP:
-    service: str
-    region: str
-    address: IPv4Address | IPv6Address
-
-    def is_ipv6(self) -> bool:
-        return self.address.version == 6
-
-    def __str__(self) -> str:
-        return f'{self.service} {self.region}: {self.address}'
-
-
-def terraform_str(item) -> str:
-    res = ""
-    if (isinstance(item, dict)):
-        res += '{\n'
-        for key, value in item.items():
-            res += f'{key} = {terraform_str(value)}\n'
-        res += '}'
-    elif (isinstance(item, list)):
-        res += '['
-        for i, value in enumerate(item):
-            if i != 0:
-                res += ', '
-            res += terraform_str(value)
-        res += ']'
-    else:
-        res += f'"{item}"'
-    return res
-
-
-if __name__ == '__main__':
-    if len(sys.argv) != 2:
-        raise ValueError('Usage: get-endpoints.py <project>')
-    project = sys.argv[1]
-    print(f'Project: {project}')
-    clusters = get_clusters(project)
-    ips = []
-    res = {}
-    for cluster, region in clusters.items():
-        with UseCluster(cluster, region, project):
-            for service in ['whois', 'whois-canary', 'epp', 'epp-canary']:
-                map_key = service.replace('-', '_')
-                for ip in get_endpoints('services', service,
-                                        '{.status.loadBalancer.ingress[*].ip}'):
-                    ip = ipaddress.ip_address(ip)
-                    if isinstance(ip, IPv4Address):
-                        map_key_with_iptype = map_key + '_ipv4'
-                    else:
-                        map_key_with_iptype = map_key + '_ipv6'
-                    if map_key_with_iptype not in res:
-                        res[map_key_with_iptype] = {}
-                    res[map_key_with_iptype][get_region_symbol(region)] = [ip]
-                    ips.append(IP(service, get_region_symbol(region), ip))
-            if not region.startswith('us'):
-                continue
-            ip = get_endpoints('gateways.gateway.networking.k8s.io', 'nomulus',
-                               '{.status.addresses[*].value}')[0]
-            print(f'nomulus: {ip}')
-            res['https_ip'] = ipaddress.ip_address(ip)
-    ips.sort(key=attrgetter('region'))
-    ips.sort(key=methodcaller('is_ipv6'))
-    ips.sort(key=attrgetter('service'))
-    for ip in ips:
-        print(ip)
-    print("Terraform friendly output:")
-    print(terraform_str(res))

jetty/kubernetes/gateway/nomulus-gateway.yaml

@@ -4,7 +4,18 @@ metadata:
   name: nomulus
 spec:
   gatewayClassName: gke-l7-global-external-managed-mc
+  addresses:
+  - type: NamedAddress
+    value: nomulus-ipv4-address
+  - type: NamedAddress
+    value: nomulus-ipv6-address
   listeners:
+  - name: http
+    protocol: HTTP
+    port: 80
+    allowedRoutes:
+      kinds:
+      - kind: HTTPRoute
   - name: https
     protocol: HTTPS
     port: 443
@@ -15,3 +26,19 @@ spec:
     allowedRoutes:
       kinds:
       - kind: HTTPRoute
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: redirect
+spec:
+  parentRefs:
+  - kind: Gateway
+    name: nomulus
+    sectionName: http
+  rules:
+  - filters:
+    - type: RequestRedirect
+      requestRedirect:
+        scheme: https
+

jetty/kubernetes/gateway/nomulus-route-backend.yaml

@@ -6,6 +6,7 @@ spec:
   parentRefs:
   - kind: Gateway
     name: nomulus
+    sectionName: https
   hostnames:
     - "backend.BASE_DOMAIN"
   rules:

jetty/kubernetes/gateway/nomulus-route-console.yaml

@@ -6,6 +6,7 @@ spec:
   parentRefs:
   - kind: Gateway
     name: nomulus
+    sectionName: https
   hostnames:
     - "console.BASE_DOMAIN"
   rules:

jetty/kubernetes/gateway/nomulus-route-frontend.yaml

@@ -6,6 +6,7 @@ spec:
   parentRefs:
   - kind: Gateway
     name: nomulus
+    sectionName: https
   hostnames:
     - "frontend.BASE_DOMAIN"
   rules:

jetty/kubernetes/gateway/nomulus-route-pubapi.yaml

@@ -6,6 +6,7 @@ spec:
   parentRefs:
   - kind: Gateway
     name: nomulus
+    sectionName: https
   hostnames:
     - "pubapi.BASE_DOMAIN"
   rules:

jetty/kubernetes/nomulus-backend.yaml

@@ -2,6 +2,8 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: backend
+  annotations:
+    tag: "latest"
 spec:
   selector:
     matchLabels:
@@ -12,6 +14,8 @@ spec:
         service: backend
     spec:
       serviceAccountName: nomulus
+      nodeSelector:
+        cloud.google.com/compute-class: "Performance"
       containers:
       - name: backend
         image: gcr.io/GCP_PROJECT/nomulus
@@ -20,7 +24,8 @@ spec:
           name: http
         resources:
           requests:
-            cpu: "500m"
+            cpu: "100m"
+            memory: "512Mi"
         args: [ENVIRONMENT]
         env:
         - name: POD_ID

jetty/kubernetes/nomulus-console.yaml

@@ -2,6 +2,8 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: console
+  annotations:
+    tag: "latest"
 spec:
   selector:
     matchLabels:
@@ -12,6 +14,8 @@ spec:
         service: console
     spec:
       serviceAccountName: nomulus
+      nodeSelector:
+        cloud.google.com/compute-class: "Performance"
       containers:
       - name: console
         image: gcr.io/GCP_PROJECT/nomulus
@@ -20,7 +24,8 @@ spec:
           name: http
         resources:
           requests:
-            cpu: "500m"
+            cpu: "100m"
+            memory: "512Mi"
         args: [ENVIRONMENT]
         env:
         - name: POD_ID

jetty/kubernetes/nomulus-frontend.yaml

@@ -2,6 +2,8 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: frontend
+  annotations:
+    tag: "latest"
 spec:
   selector:
     matchLabels:
@@ -12,6 +14,8 @@ spec:
         service: frontend
     spec:
       serviceAccountName: nomulus
+      nodeSelector:
+        cloud.google.com/compute-class: "Performance"
       containers:
       - name: frontend
         image: gcr.io/GCP_PROJECT/nomulus
@@ -20,7 +24,8 @@ spec:
           name: http
         resources:
           requests:
-            cpu: "500m"
+            cpu: "100m"
+            memory: "512Mi"
         args: [ENVIRONMENT]
         env:
         - name: POD_ID
@@ -37,6 +42,27 @@ spec:
               fieldPath: metadata.namespace
         - name: CONTAINER_NAME
           value: frontend
+      - name: EPP
+        image: gcr.io/GCP_PROJECT/proxy
+        ports:
+        - containerPort: 30002
+          name: epp
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "512Mi"
+        args: [--env, PROXY_ENV, --log, --local]
+        env:
+        - name: POD_ID
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: NAMESPACE_ID
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: CONTAINER_NAME
+          value: EPP
 ---
 # Only need to define the service account once per cluster.
 apiVersion: v1
@@ -55,7 +81,7 @@ spec:
     apiVersion: apps/v1
     kind: Deployment
     name: frontend
-  minReplicas: 5
+  minReplicas: 15
   maxReplicas: 15
   metrics:
     - type: Resource
@@ -77,6 +103,27 @@ spec:
       targetPort: http
       name: http
 ---
+apiVersion: v1
+kind: Service
+metadata:
+  name: EPP
+  annotations:
+    cloud.google.com/l4-rbs: enabled
+    networking.gke.io/weighted-load-balancing: pods-per-node
+    networking.gke.io/load-balancer-ip-addresses: "EPP-ipv6-main,EPP-ipv4-main"
+spec:
+  type: LoadBalancer
+  # Traffic is directly delivered to a node, preserving the original source IP.
+  externalTrafficPolicy: Local
+  ipFamilies: [IPv4, IPv6]
+  ipFamilyPolicy: RequireDualStack
+  selector:
+    service: frontend
+  ports:
+  - port: 700
+    targetPort: epp
+    name: epp
+---
 apiVersion: net.gke.io/v1
 kind: ServiceExport
 metadata:

jetty/kubernetes/nomulus-pubapi.yaml

@@ -2,6 +2,8 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: pubapi
+  annotations:
+    tag: "latest"
 spec:
   selector:
     matchLabels:
@@ -12,6 +14,8 @@ spec:
         service: pubapi
     spec:
       serviceAccountName: nomulus
+      nodeSelector:
+        cloud.google.com/compute-class: "Performance"
       containers:
       - name: pubapi
         image: gcr.io/GCP_PROJECT/nomulus
@@ -20,7 +24,8 @@ spec:
           name: http
         resources:
           requests:
-            cpu: "500m"
+            cpu: "100m"
+            memory: "512Mi"
         args: [ENVIRONMENT]
         env:
         - name: POD_ID

release/builder/Dockerfile

@@ -28,7 +28,7 @@ COPY go.sum ./
 COPY go.mod ./
 RUN go build -o /deployCloudSchedulerAndQueue
 
-FROM marketplace.gcr.io/google/ubuntu2204
+FROM marketplace.gcr.io/google/ubuntu2404
 ENV DEBIAN_FRONTEND=noninteractive LANG=en_US.UTF-8
 # Add script for cloud scheduler and cloud tasks deployment
 COPY --from=deployCloudSchedulerAndQueueBuilder /deployCloudSchedulerAndQueue /usr/local/bin/deployCloudSchedulerAndQueue

release/builder/build.sh

@@ -43,10 +43,6 @@ apt-get install openjdk-21-jdk-headless -y
 
 # Install Python
 apt-get install python3 -y
-# As of March 2021 python3 is at v3.6. Get pip then install dataclasses
-# (introduced in 3.7) for nom_build
-apt-get install python3-pip -y
-python3 -m pip install dataclasses
 
 # Install Node
 apt-get install npm -y
@@ -57,11 +53,13 @@ npm install -g n
 for i in {1..5}; do n 22.7.0 && break || sleep 15; done
 
 # Install gp_dump
-apt-get install postgresql-client-11 procps -y
+apt-get install postgresql-client-17 procps -y
 
 # Install gcloud
 apt-get install google-cloud-cli -y
 apt-get install google-cloud-sdk-app-engine-java -y
+apt-get install kubectl -y
+apt-get install google-cloud-cli-gke-gcloud-auth-plugin -y
 
 # Install git
 apt-get install git -y

release/cloudbuild-nomulus.yaml

@@ -198,6 +198,7 @@ artifacts:
     - 'release/cloudbuild-delete-*.yaml'
     - 'release/cloudbuild-schema-deploy-*.yaml'
     - 'release/cloudbuild-schema-verify-*.yaml'
+    - 'release/cloudbuild-restart-proxies-*.yaml'
     - 'jetty/kubernetes/*.yaml'
     - 'jetty/kubernetes/gateway/*.yaml'
 # The images are already uploaded, but we still need to include them there so that

release/cloudbuild-release.yaml

@@ -88,6 +88,7 @@ steps:
     sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-schema-deploy.yaml
     sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-schema-verify.yaml
     sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-delete.yaml
+    sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-restart-proxies.yaml
     sed -i s/GCP_PROJECT/${PROJECT_ID}/ proxy/kubernetes/proxy-*.yaml
     sed -i s/'$${TAG_NAME}'/${TAG_NAME}/g release/cloudbuild-sync-and-tag.yaml
     sed -i s/'$${TAG_NAME}'/${TAG_NAME}/g release/cloudbuild-deploy.yaml
@@ -99,6 +100,11 @@ steps:
         > release/cloudbuild-deploy-gke-${environment}.yaml
       sed s/'$${_ENV}'/${environment}/g release/cloudbuild-delete.yaml \
         > release/cloudbuild-delete-${environment}.yaml
+      sed s/'$${_ENV}'/${environment}/g release/cloudbuild-restart-proxies.yaml \
+        > release/cloudbuild-restart-proxies-${environment}.yaml
+      sed s/'$${_ENV}'/${environment}/g release/cloudbuild-restart-proxies.yaml | \
+        sed s/proxy-deployment/proxy-deployment-canary/g \
+        > release/cloudbuild-restart-proxies-${environment}-canary.yaml
     done
 # Build and upload the schema_deployer image.
 - name: 'gcr.io/cloud-builders/docker'
@@ -178,11 +184,14 @@ steps:
       base_domain=$(grep baseDomain \
         ./core/src/main/java/google/registry/config/files/nomulus-config-${env}.yaml | \
         awk '{print $2}')
-      for service in frontend backend pubapi console 
+      for service in frontend backend pubapi console
       do
         # non-canary
         sed s/GCP_PROJECT/${PROJECT_ID}/g ./jetty/kubernetes/nomulus-${service}.yaml | \
-          sed s/ENVIRONMENT/${env}/g > ./jetty/kubernetes/nomulus-${env}-${service}.yaml
+          sed s/latest/${TAG_NAME}/g | \
+          sed s/ENVIRONMENT/${env}/g | \
+          sed s/PROXY_ENV/"${env}"/g | \
+          sed s/EPP/"epp"/g > ./jetty/kubernetes/nomulus-${env}-${service}.yaml
         # Proxy '--log' flag does not work on production.
         if [ ${env} == production ]
         then
@@ -195,7 +204,10 @@ steps:
         fi
         # canary
         sed s/GCP_PROJECT/${PROJECT_ID}/g ./jetty/kubernetes/nomulus-${service}.yaml | \
+          sed s/latest/${TAG_NAME}/g | \
           sed s/ENVIRONMENT/${env}/g | \
+          sed s/PROXY_ENV/"${env}_canary"/g | \
+          sed s/EPP/"epp-canary"/g | \
           sed s/${service}/${service}-canary/g \
           > ./jetty/kubernetes/nomulus-${env}-${service}-canary.yaml
         # Proxy '--log' flag does not work on production.
@@ -264,7 +276,7 @@ steps:
       $(gcloud auth list --format='get(account)' --filter=active)
     git add .
     git commit -m "Release commit for tag ${TAG_NAME}"
-    git push -o nokeycheck origin master 
+    git push -o nokeycheck origin master
     git tag ${TAG_NAME}
     git push -o nokeycheck origin ${TAG_NAME}
 timeout: 3600s

release/cloudbuild-restart-proxies.yaml

@@ -0,0 +1,64 @@
+# This will do rolling restarts of all proxies. This forces the client to reconnect
+# and resets the sessions.
+#
+# To manually trigger a build on GCB, run:
+# gcloud builds submit --config=cloudbuild-restart-proxies.yaml \
+# --substitutions=_ENV=[ENV] ..
+#
+# To trigger a build automatically, follow the instructions below and add a trigger:
+# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
+#
+# Note: to work around the issue in Spinnaker's 'Deployment Manifest' stage,
+# variable references must avoid the ${var} format. Valid formats include
+# $var or ${"${var}"}. This file uses the former. Since TAG_NAME and _ENV are
+# expanded in the copies sent to Spinnaker, we preserve the brackets around
+# them for safe pattern matching during release.
+# See https://github.com/spinnaker/spinnaker/issues/3028 for more information.
+steps:
+# Pull the credential for nomulus tool.
+- name: 'gcr.io/$PROJECT_ID/builder:latest'
+  entrypoint: /bin/bash
+  args:
+  - -c
+  - |
+    set -e
+    gcloud secrets versions access latest \
+      --secret nomulus-tool-cloudbuild-credential > tool-credential.json
+# Do rolling restarts of all proxies in all environments.
+- name: 'gcr.io/$PROJECT_ID/builder:latest'
+  entrypoint: /bin/bash
+  args:
+  - -c
+  - |
+    if [ ${_ENV} == production ]
+    then
+      project_id="domain-registry"
+    else
+      project_id="domain-registry-${_ENV}"
+    fi
+
+    gcloud auth activate-service-account --key-file=tool-credential.json
+
+    first=true
+    t=0
+
+    while read line
+    do
+      # Sleep for t seconds for the rollout to stabilize.
+      if [[ -v first ]]
+      then
+        unset first
+      else
+        sleep $t
+      fi
+      name=$(echo $line | awk '{print $1}')
+      location=$(echo $line | awk '{print $2}')
+      echo $name $region
+      echo "Updating cluster $name in location $location..."
+      gcloud container clusters get-credentials $name \
+        --project $project_id --location $location
+      kubectl rollout restart deployment/proxy-deployment
+    done < <(gcloud container clusters list --project $project_id | grep proxy-cluster)
+timeout: 7500s
+options:
+  machineType: 'N1_HIGHCPU_8'

release/schema-verifier/allowed_diffs.txt

@@ -3,3 +3,6 @@ COMMENT ON EXTENSION pgaudit IS 'provides auditing functionality';
 SET default_with_oids = false;
 CREATE EXTENSION IF NOT EXISTS pg_stat_statements WITH SCHEMA public;
 COMMENT ON EXTENSION pg_stat_statements IS 'track execution statistics of all SQL statements executed';
+SET transaction_timeout = 0;
+SET default_table_access_method = heap;
+SET default_with_oids = false;

release/schema-verifier/verify_deployed_sql_schema.sh

@@ -69,6 +69,14 @@ PGPASSWORD=${db_password} pg_dump -h localhost -U "${db_user}" \
     --exclude-table flyway_schema_history \
     postgres
 
+if [ $? -ne 0 ]; then
+  echo "Failed to dump schema."
+  exit 1
+else
+  echo "Schema dumped."
+fi
+
+
 raw_diff=$(diff /schema/nomulus.golden.sql /schema/nomulus.actual.sql)
 # Clean up the raw_diff:
 # - Remove diff locations (e.g. "5,6c5,6): grep "^[<>]"