Avoid injection of a possibly-null string value if thee Valkey cert key doesn't exist (#3055)

* generate kubernetes partial/canary manifests in release job

* rename partial phase labels

* replace container name value to be stage dependent

* just keep the new partial deployment update in the manifest generation

core/src/main/java/google/registry/cache/CacheModule.java

@@ -60,12 +60,15 @@ public final class CacheModule {
   public static Optional<UnifiedJedis> provideJedis(
       @ApplicationDefaultCredential GoogleCredentialsBundle credentialsBundle,
       @Config("valkeyHostsAndPorts") Optional<ImmutableList<String>> valkeyHostsAndPorts,
-      @Config("valkeySslSocketFactory") SSLSocketFactory valkeySslSocketFactory) {
-    if (valkeyHostsAndPorts.map(ImmutableList::isEmpty).orElse(true)) {
+      @Config("valkeyCertificateAuthority") Optional<String> valkeyCertificateAuthority) {
+    if (valkeyHostsAndPorts.map(ImmutableList::isEmpty).orElse(true)
+        || valkeyCertificateAuthority.isEmpty()) {
       return Optional.empty();
     }
     ImmutableSet<HostAndPort> hostsAndPorts =
         valkeyHostsAndPorts.get().stream().map(HostAndPort::from).collect(toImmutableSet());
+    SSLSocketFactory valkeySslSocketFactory =
+        createValkeySslSocketFactory(valkeyCertificateAuthority.get());
     JedisClientConfig clientConfig =
         DefaultJedisClientConfig.builder()
             .ssl(true)
@@ -111,11 +114,7 @@ public final class CacheModule {
     return new MultilayerHostCache(jedisClient.get(), cacheMetrics);
   }
 
-  @Provides
-  @Singleton
-  @Config("valkeySslSocketFactory")
-  static SSLSocketFactory provideValkeySslSocketFactory(
-      @Config("valkeyCertificateAuthority") String valkeyCertificateAuthority) {
+  private static SSLSocketFactory createValkeySslSocketFactory(String valkeyCertificateAuthority) {
     try {
       ImmutableList<X509Certificate> trustedCerts =
           CertificateFactory.getInstance("X.509")

core/src/main/java/google/registry/keyring/KeyringModule.java

@@ -22,6 +22,7 @@ import google.registry.config.RegistryConfig.Config;
 import google.registry.keyring.api.Keyring;
 import google.registry.keyring.secretmanager.SecretManagerKeyring;
 import jakarta.inject.Singleton;
+import java.util.Optional;
 
 /** Dagger module for {@link Keyring} */
 @Module
@@ -55,7 +56,7 @@ public abstract class KeyringModule {
 
   @Provides
   @Config("valkeyCertificateAuthority")
-  public static String provideValkeyCertificateAuthority(Keyring keyring) {
-    return keyring.getValkeyCertificateAuthority();
+  public static Optional<String> provideValkeyCertificateAuthority(Keyring keyring) {
+    return Optional.ofNullable(keyring.getValkeyCertificateAuthority());
   }
 }

release/cloudbuild-release.yaml

@@ -233,6 +233,16 @@ steps:
           sed -i s/${PROJECT_ID}.iam.gserviceaccount.com/${project}.iam.gserviceaccount.com/g \
             ./jetty/kubernetes/nomulus-${env}-${service}-canary.yaml
         fi
+        # partial phase manifests
+        for stage in 1 5
+        do
+          awk 'NR==1,/^---$/ {if ($0 != "---") print}' ./jetty/kubernetes/nomulus-${env}-${service}.yaml | \
+            sed s/name:\ ${service}/name:\ ${service}-partial-phase/g | \
+            sed s/service:\ ${service}/deployment:\ ${service}-partial-phase/g | \
+            sed s/value:\ ${service}/value:\ ${service}-partial-phase/g | \
+            sed "/^spec:$/a\  replicas: ${stage}" \
+            > ./jetty/kubernetes/nomulus-${env}-${service}-partial-phase-${stage}.yaml
+        done
         # gateway
         sed s/BASE_DOMAIN/${base_domain}/g \
           ./jetty/kubernetes/gateway/nomulus-route-${service}.yaml \