revert to before nuclear option

transcom · Mar 31, 2022 · 9879ec8 · 9879ec8
1 parent 69b12ff
commit 9879ec8
Show file tree

Hide file tree

Showing 16 changed files with 49 additions and 17 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -849,6 +849,10 @@ jobs:
             NO_TLS_ENABLED: true
             PWD: /home/circleci/transcom/mymove
       - aws_vars_loadtest
+      - run:
+          name: Prepare certificates
+          command: |
+            sudo cp /home/circleci/transcom/mymove/bin/rds-ca-us-gov-west-1-2017-root.pem /bin/rds-ca-us-gov-west-1-2017-root.pem
       - run:
           name: Run Loadtest acceptance tests
           command: make acceptance_test
@@ -862,6 +866,10 @@ jobs:
             PWD: /home/circleci/transcom/mymove
             TEST_ACC_ENV: loadtest
       - aws_vars_demo
+      - run:
+          name: Prepare certificates
+          command: |
+            sudo cp /home/circleci/transcom/mymove/bin/rds-ca-us-gov-west-1-2017-root.pem /bin/rds-ca-us-gov-west-1-2017-root.pem
       - run:
           name: Run Demo acceptance tests
           command: make acceptance_test

diff --git a/Dockerfile b/Dockerfile
@@ -11,7 +11,8 @@ RUN update-ca-certificates
 FROM gcr.io/distroless/base:latest
 COPY --from=build-env /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
-COPY bin/rds-ca-rsa4096-g1.pem /bin/rds-ca-rsa4096-g1.pem
+COPY bin/rds-ca-2019-root.pem /bin/rds-ca-2019-root.pem
+COPY bin/rds-ca-us-gov-west-1-2017-root.pem /bin/rds-ca-us-gov-west-1-2017-root.pem
 COPY bin/milmove /bin/milmove
 
 COPY config/tls/Certificates_PKCS7_v5.6_DoD.der.p7b /config/tls/Certificates_PKCS7_v5.6_DoD.der.p7b

diff --git a/Dockerfile.dp3 b/Dockerfile.dp3
@@ -2,6 +2,8 @@
 FROM gcr.io/distroless/base:latest
 
 COPY bin/rds-ca-rsa4096-g1.pem /bin/rds-ca-rsa4096-g1.pem
+# COPY bin/rds-ca-2019-root.pem /bin/rds-ca-2019-root.pem
+# COPY bin/rds-ca-us-gov-west-1-2017-root.pem /bin/rds-ca-us-gov-west-1-2017-root.pem
 COPY bin/milmove /bin/milmove
 
 # Demo Environment certs

diff --git a/Dockerfile.e2e b/Dockerfile.e2e
@@ -7,6 +7,8 @@ COPY config/tls/dod-wcf-root-ca-1.pem /usr/local/share/ca-certificates/dod-wcf-r
 COPY config/tls/dod-wcf-intermediate-ca-1.pem /usr/local/share/ca-certificates/dod-wcf-intermediate-ca-1.pem.crt
 
 COPY bin/rds-ca-rsa4096-g1.pem /bin/rds-ca-rsa4096-g1.pem
+COPY bin/rds-ca-2019-root.pem /bin/rds-ca-2019-root.pem
+COPY bin/rds-ca-us-gov-west-1-2017-root.pem /bin/rds-ca-us-gov-west-1-2017-root.pem
 COPY bin/milmove /bin/milmove
 COPY bin/generate-test-data /bin/generate-test-data
 

diff --git a/Dockerfile.local b/Dockerfile.local
@@ -10,7 +10,8 @@ COPY --chown=circleci:circleci . /home/circleci/project
 WORKDIR /home/circleci/project
 
 RUN make clean
-RUN make bin/rds-ca-rsa4096-g1.pem
+RUN make bin/rds-ca-2019-root.pem
+RUN make bin/rds-ca-us-gov-west-1-2017-root.pem
 RUN rm -f pkg/assets/assets.go && make pkg/assets/assets.go
 RUN make server_generate
 RUN rm -f bin/milmove && make bin/milmove
@@ -22,7 +23,8 @@ RUN rm -f bin/milmove && make bin/milmove
 # hadolint ignore=DL3007
 FROM gcr.io/distroless/base:latest
 
-COPY --from=builder --chown=root:root /home/circleci/project/bin/bin/rds-ca-rsa4096-g1.pem /bin/bin/rds-ca-rsa4096-g1.pem
+COPY --from=builder --chown=root:root /home/circleci/project/bin/rds-ca-2019-root.pem /bin/rds-ca-2019-root.pem
+COPY --from=builder --chown=root:root /home/circleci/project/bin/rds-ca-us-gov-west-1-2017-root.pem /bin/rds-ca-us-gov-west-1-2017-root.pem
 COPY --from=builder --chown=root:root /home/circleci/project/bin/milmove /bin/milmove
 
 COPY config/tls/Certificates_PKCS7_v5.6_DoD.der.p7b /config/tls/Certificates_PKCS7_v5.6_DoD.der.p7b

diff --git a/Dockerfile.migrations b/Dockerfile.migrations
@@ -7,6 +7,8 @@ COPY config/tls/dod-wcf-root-ca-1.pem /usr/local/share/ca-certificates/dod-wcf-r
 COPY config/tls/dod-wcf-intermediate-ca-1.pem /usr/local/share/ca-certificates/dod-wcf-intermediate-ca-1.pem.crt
 
 COPY bin/rds-ca-rsa4096-g1.pem /bin/rds-ca-rsa4096-g1.pem
+COPY bin/rds-ca-2019-root.pem /bin/rds-ca-2019-root.pem
+COPY bin/rds-ca-us-gov-west-1-2017-root.pem /bin/rds-ca-us-gov-west-1-2017-root.pem
 COPY bin/milmove /bin/milmove
 
 COPY migrations/app/schema /migrate/schema

diff --git a/Dockerfile.migrations_local b/Dockerfile.migrations_local
@@ -10,7 +10,7 @@ COPY --chown=circleci:circleci . /home/circleci/project
 WORKDIR /home/circleci/project
 
 RUN make clean
-RUN make bin/rds-ca-rsa4096-g1.pem
+RUN make bin/rds-ca-2019-root.pem
 RUN rm -f pkg/assets/assets.go && make pkg/assets/assets.go
 RUN make server_generate
 RUN rm -f bin/milmove && make bin/milmove
@@ -24,7 +24,7 @@ FROM alpine:3.15.2
 # hadolint ignore=DL3017
 RUN apk upgrade --no-cache busybox
 
-COPY --from=builder --chown=root:root /home/circleci/project/bin/rds-ca-rsa4096-g1.pem /bin/rds-ca-rsa4096-g1.pem
+COPY --from=builder --chown=root:root /home/circleci/project/bin/rds-ca-2019-root.pem /bin/rds-ca-2019-root.pem
 COPY --from=builder --chown=root:root /home/circleci/project/bin/milmove /bin/milmove
 
 COPY migrations/app/schema /migrate/schema

diff --git a/Dockerfile.reviewapp b/Dockerfile.reviewapp
@@ -38,7 +38,7 @@ COPY pkg /build/pkg
 RUN mkdir /build/src
 
 RUN set -x \
-  && make bin/rds-ca-rsa4096-g1.pem \
+  && make bin/rds-ca-2019-root.pem \
   && rm -f pkg/assets/assets.go && make pkg/assets/assets.go \
   && scripts/gen-server \
   && rm -f bin/milmove && make bin/milmove \
@@ -47,7 +47,7 @@ RUN set -x \
 # define migrations before client build since it doesn't need client
 FROM alpine:3.15.2 as migrate
 
-COPY --from=server_builder /build/bin/rds-ca-rsa4096-g1.pem /bin/rds-ca-rsa4096-g1.pem
+COPY --from=server_builder /build/bin/rds-ca-2019-root.pem /bin/rds-ca-2019-root.pem
 COPY --from=server_builder /build/bin/milmove /bin/milmove
 COPY --from=server_builder /build/bin/generate-test-data /bin/generate-test-data
 
@@ -106,7 +106,7 @@ RUN set -x \
 # hadolint ignore=DL3007
 FROM gcr.io/distroless/base:latest as milmove
 
-COPY --from=server_builder /build/bin/rds-ca-rsa4096-g1.pem /bin/rds-ca-rsa4096-g1.pem
+COPY --from=server_builder /build/bin/rds-ca-2019-root.pem /bin/rds-ca-2019-root.pem
 COPY --from=server_builder /build/bin/milmove /bin/milmove
 COPY --from=server_builder /build/swagger /swagger
 

diff --git a/Dockerfile.tasks b/Dockerfile.tasks
@@ -12,7 +12,8 @@ FROM gcr.io/distroless/base:latest
 COPY --from=build-env /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
 COPY config/tls/Certificates_PKCS7_v5.6_DoD.der.p7b /config/tls/Certificates_PKCS7_v5.6_DoD.der.p7b
-COPY bin/rds-ca-rsa4096-g1.pem /bin/rds-ca-rsa4096-g1.pem
+COPY bin/rds-ca-2019-root.pem /bin/rds-ca-2019-root.pem
+COPY bin/rds-ca-us-gov-west-1-2017-root.pem /bin/rds-ca-us-gov-west-1-2017-root.pem
 COPY bin/milmove-tasks /bin/milmove-tasks
 
 WORKDIR /bin
diff --git a/Dockerfile.tasks_dp3 b/Dockerfile.tasks_dp3
@@ -11,6 +11,8 @@ COPY config/tls/api.loadtest.dp3.us.chain.der.p7b /config/tls/api.loadtest.dp3.u
 COPY config/tls/api.exp.dp3.us.chain.der.p7b /config/tls/api.exp.dp3.us.chain.der.p7b
 
 COPY bin/rds-ca-rsa4096-g1.pem /bin/rds-ca-rsa4096-g1.pem
+#COPY bin/rds-ca-2019-root.pem /bin/rds-ca-2019-root.pem
+#COPY bin/rds-ca-us-gov-west-1-2017-root.pem /bin/rds-ca-us-gov-west-1-2017-root.pem
 COPY bin/milmove-tasks /bin/milmove-tasks
 
 WORKDIR /bin
diff --git a/Dockerfile.tasks_local b/Dockerfile.tasks_local
@@ -10,7 +10,7 @@ COPY --chown=circleci:circleci . /home/circleci/project
 WORKDIR /home/circleci/project
 
 RUN make clean
-RUN make bin/rds-ca-rsa4096-g1.pem
+RUN make bin/rds-ca-2019-root.pem
 RUN rm -f pkg/assets/assets.go && make pkg/assets/assets.go
 RUN make server_generate
 RUN rm -f bin/milmove-tasks && make bin/milmove-tasks
@@ -23,7 +23,7 @@ RUN rm -f bin/milmove-tasks && make bin/milmove-tasks
 FROM gcr.io/distroless/base:latest
 
 COPY --from=builder --chown=root:root /home/circleci/project/config/tls/Certificates_PKCS7_v5.6_DoD.der.p7b /config/tls/Certificates_PKCS7_v5.6_DoD.der.p7b
-COPY --from=builder --chown=root:root /home/circleci/project/bin/rds-ca-rsa4096-g1.pem /bin/rds-ca-rsa4096-g1.pem
+COPY --from=builder --chown=root:root /home/circleci/project/bin/rds-ca-2019-root.pem /bin/rds-ca-2019-root.pem
 COPY --from=builder --chown=root:root /home/circleci/project/bin/milmove-tasks /bin/milmove-tasks
 
 WORKDIR /bin
diff --git a/Dockerfile.webhook_client b/Dockerfile.webhook_client
@@ -21,8 +21,8 @@ FROM gcr.io/distroless/static:latest
 
 # Copy DOD certs from the builder.
 COPY --from=builder --chown=root:root /etc/ssl/certs /etc/ssl/certs
-COPY bin/rds-ca-rsa4096-g1.pem /bin/rds-ca-rsa4096-g1.pem
 
+COPY bin/rds-ca-us-gov-west-1-2017-root.pem /bin/rds-ca-us-gov-west-1-2017-root.pem
 COPY bin/webhook-client /bin/webhook-client
 
 CMD ["/bin/webhook-client", "webhook-notify"]
diff --git a/Dockerfile.webhook_client_dp3 b/Dockerfile.webhook_client_dp3
@@ -32,6 +32,7 @@ COPY --from=builder --chown=root:root /etc/ssl/certs /etc/ssl/certs
 
 COPY bin/rds-ca-rsa4096-g1.pem /bin/rds-ca-rsa4096-g1.pem
 
+#COPY bin/rds-ca-us-gov-west-1-2017-root.pem /bin/rds-ca-us-gov-west-1-2017-root.pem
 COPY bin/webhook-client /bin/webhook-client
 
 CMD ["/bin/webhook-client", "webhook-notify"]
diff --git a/Dockerfile.webhook_client_local b/Dockerfile.webhook_client_local
@@ -17,8 +17,7 @@ COPY --chown=circleci:circleci . /home/circleci/project
 WORKDIR /home/circleci/project
 
 RUN make clean
-RUN make bin/rds-ca-rsa4096-g1.pem
-
+RUN make bin/rds-ca-us-gov-west-1-2017-root.pem
 RUN make bin/webhook-client
 
 #########
@@ -36,7 +35,7 @@ COPY --from=builder --chown=root:root /home/circleci/project/config/tls/devlocal
 COPY --from=builder --chown=root:root /home/circleci/project/config/tls/devlocal-mtls.key /config/tls/devlocal-mtls.key
 
 # Public root certificate for RDS in us-gov-west-1.
-COPY --from=builder --chown=root:root /home/circleci/project/bin/rds-ca-rsa4096-g1.pem /bin/rds-ca-rsa4096-g1.pem
+COPY --from=builder --chown=root:root /home/circleci/project/bin/rds-ca-us-gov-west-1-2017-root.pem /bin/rds-ca-us-gov-west-1-2017-root.pem
 
 # The main webhook-client binary.
 COPY --from=builder --chown=root:root /home/circleci/project/bin/webhook-client /bin/webhook-client

diff --git a/Makefile b/Makefile
@@ -127,7 +127,7 @@ setup:
 deps_nix: install_pre_commit deps_shared ## Nix equivalent (kind of) of `deps` target.
 
 .PHONY: deps_shared
-deps_shared: client_deps bin/rds-ca-rsa4096-g1.pem ## install dependencies
+deps_shared: client_deps bin/rds-ca-2019-root.pem bin/rds-ca-us-gov-west-1-2017-root.pem bin/rds-ca-rsa4096-g1.pem ## install dependencies
 
 .PHONY: test
 test: client_test server_test e2e_test ## Run all tests
@@ -227,6 +227,14 @@ bin/rds-ca-rsa4096-g1.pem:
 	mkdir -p bin/
 	curl -sSo bin/rds-ca-rsa4096-g1.pem https://truststore.pki.us-gov-west-1.rds.amazonaws.com/us-gov-west-1/us-gov-west-1-bundle.pem
 
+bin/rds-ca-2019-root.pem:
+	mkdir -p bin/
+	curl -sSo bin/rds-ca-2019-root.pem https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem
+
+bin/rds-ca-us-gov-west-1-2017-root.pem:
+	mkdir -p bin/
+	curl -sSo bin/rds-ca-us-gov-west-1-2017-root.pem https://s3.us-gov-west-1.amazonaws.com/rds-downloads/rds-ca-us-gov-west-1-2017-root.pem
+
 ### MilMove Targets
 
 bin/big-cat: cmd/big-cat
@@ -364,6 +372,8 @@ server_run_debug: .check_hosts.stamp .check_go_version.stamp .check_gopath.stamp
 build_tools: bin/gin \
 	bin/mockery \
 	bin/rds-ca-rsa4096-g1.pem \
+	bin/rds-ca-2019-root.pem \
+	bin/rds-ca-us-gov-west-1-2017-root.pem \
 	bin/big-cat \
 	bin/generate-deploy-notes \
 	bin/ecs-deploy \
@@ -390,7 +400,7 @@ build: server_build build_tools client_build ## Build the server, tools, and cli
 # acceptance_test runs a few acceptance tests against a local or remote environment.
 # This can help identify potential errors before deploying a container.
 .PHONY: acceptance_test
-acceptance_test: bin/rds-ca-rsa4096-g1.pem ## Run acceptance tests
+acceptance_test: bin/rds-ca-2019-root.pem bin/rds-ca-us-gov-west-1-2017-root.pem bin/rds-ca-rsa4096-g1.pem ## Run acceptance tests
 ifndef TEST_ACC_ENV
 	@echo "Running acceptance tests for webserver using local environment."
 	@echo "* Use environment XYZ by setting environment variable to TEST_ACC_ENV=XYZ."

diff --git a/scripts/run-e2e-test-docker b/scripts/run-e2e-test-docker
@@ -40,6 +40,8 @@ docker run \
        make pkg/assets/assets.go \
        server_build \
        bin/generate-test-data \
+       bin/rds-ca-2019-root.pem \
+       bin/rds-ca-us-gov-west-1-2017-root.pem \
        bin/rds-ca-rsa4096-g1.pem
 docker build -t milmove_e2e:local -f Dockerfile.e2e .