# This will generate a new SSL certificate and apply it to the probers in the
# environment specified by ${_ENV}.
#
# To manually trigger a build on GCB, run:
# gcloud builds submit --config=cloudbuild-renew-prober-certs.yaml \
# --substitutions=_ENV=[ENV] ..
#
# To trigger a build automatically, follow the instructions below and add a trigger:
# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
#
steps:
# Generate new SSL certs
- name: 'gcr.io/$PROJECT_ID/builder:live'
  entrypoint: /bin/bash
  args:
  - -c
  - |
    set -e
    # Download the CA certificate files for signing the new certificate.
    gcloud storage cp gs://$PROJECT_ID-prober-certs/ca.* .
    # Get the passphrase
    gcloud secrets versions access latest \
      --secret=epp-prober-passphrase-${_ENV} \
      --out-file=./passphrase.txt
    openssl req -new -newkey rsa:4096 -nodes \
      -out prober-client-tls.req \
      -keyout prober-client-tls.key \
      -subj "/C=US/ST=New York/L=New York/O=Google/OU=gTLD/CN=Google Registry/emailAddress=example@example.com" \
      -passout file:./passphrase.txt
    openssl x509 -CA ca.pem  -CAkey ca.key -CAserial ca.srl -req -days 398  \
      -in prober-client-tls.req \
      -out prober-client-tls.pem
    openssl pkcs12 -export -in prober-client-tls.pem \
      -inkey prober-client-tls.key -out prober-client-tls.p12 \
      -password file:./passphrase.txt
# Download the nomulus-tools credential, which has the privilege to invoke tools
# commands. Also download the list of probers.
- name: 'gcr.io/$PROJECT_ID/builder:live'
  entrypoint: /bin/bash
  args:
  - -c
  - |
    set -e
    # Download the list of prober registrars in a file.
    prober_list_name=prober_registrars.${_ENV}
    gcloud storage cp \
      gs://$PROJECT_ID-prober-certs/$prober_list_name ./prober-list
    # Get the nomulus-tools credential, which is needed by the next step for
    # invoking nomulus-tools commands.
    gcloud secrets versions access latest \
      --secret nomulus-tool-cloudbuild-credential \
      > nomulus_tool_credential.json
# Install the new pem cert in the Nomulus server. After this step, both the
# current cert and the new cert are accepted for login by the server.
- name: 'gcr.io/$PROJECT_ID/prober_cert_updater:live'
  args:
  - ${_ENV}
  - ./prober-client-tls.pem
  - ./prober-list
  - ./nomulus_tool_credential.json
# Add the p12 cert to SecretManager. Prober instances will start using this
# cert when they restart.
- name: 'gcr.io/$PROJECT_ID/builder:live'
  entrypoint: /bin/bash
  args:
  - -c
  - |
    set -e
    if [ ${_ENV} == production ]; then
      secret_id="prober-keys"
    else
      secret_id="prober-keys-${_ENV}"
    fi
    gcloud secrets versions add $secret_id \
      --data-file="./prober-client-tls.p12"