From 6fb24fcaa3871582968d0deea85756bf80c5a326 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=BCdiger=20Birkner?= <ruediger.birkner@dfinity.org>
Date: Fri, 26 Jan 2024 21:53:00 +0000
Subject: [PATCH] chore(custom-domains): clean up after SW removal

---
 .../certificate-syncer/domain-without-sw.tmpl | 39 -------------------
 .../{domain-with-sw.tmpl => domain.tmpl}      |  0
 .../systemd/system/certificate-syncer.service |  4 +-
 .../rootfs/opt/ic/bin/bootstrap-ic-node.sh    |  1 -
 .../opt/ic/bin/setup-certificate-syncer.sh    | 13 -------
 .../scripts/build-deployment.sh               | 17 --------
 .../certificate_syncer/src/main.rs            | 33 ++--------------
 .../certificate_syncer/src/persist.rs         |  6 +--
 .../certificate_syncer/src/render.rs          | 28 +++----------
 9 files changed, 12 insertions(+), 129 deletions(-)
 delete mode 100644 ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-without-sw.tmpl
 rename ic-os/boundary-guestos/rootfs/etc/certificate-syncer/{domain-with-sw.tmpl => domain.tmpl} (100%)

diff --git a/ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-without-sw.tmpl b/ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-without-sw.tmpl
deleted file mode 100644
index 8336b37923a..00000000000
--- a/ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-without-sw.tmpl
+++ /dev/null
@@ -1,39 +0,0 @@
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-
-    server_name {name};
-
-    ssl_certificate     {ssl_certificate_path};
-    ssl_certificate_key {ssl_certificate_key_path};
-
-    location / {
-        # Observability
-        include "includes/request_id.conf";
-
-        # Prereqs
-        include "includes/method_get.conf";
-        include "includes/denylist_451.conf";
-
-        # CORS
-        set $cors_allow_methods "HEAD, GET, OPTIONS";
-        include "includes/response_headers.conf";
-        include "includes/options.conf";
-
-        # Update the Host header so that icx-proxy is able to process the request
-        proxy_set_header Host "$inferred_canister_id.$primary_domain";
-
-        # Cache
-        proxy_buffering       "on";
-        proxy_cache           "cache_static";
-        proxy_cache_key       "$scheme$host$request_uri";
-        proxy_cache_valid     "10s";
-        proxy_cache_use_stale "off";
-
-        proxy_pass http://icx_proxy;
-        include "includes/proxy_headers.conf";
-
-        # Required for clients that have a service worker, which hasn't been uninstalled yet
-        add_header "X-Ic-Gateway" "$primary_api_domain" always;
-    }
-}
diff --git a/ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-with-sw.tmpl b/ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain.tmpl
similarity index 100%
rename from ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-with-sw.tmpl
rename to ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain.tmpl
diff --git a/ic-os/boundary-guestos/rootfs/etc/systemd/system/certificate-syncer.service b/ic-os/boundary-guestos/rootfs/etc/systemd/system/certificate-syncer.service
index 0fd91db5f3d..8cba5efa213 100644
--- a/ic-os/boundary-guestos/rootfs/etc/systemd/system/certificate-syncer.service
+++ b/ic-os/boundary-guestos/rootfs/etc/systemd/system/certificate-syncer.service
@@ -17,9 +17,7 @@ ExecStart=/bin/bash -c '
         --certificates-exporter-uri   "http://localhost:3000/certificates"                    \
         --local-certificates-path     "/var/opt/nginx/certs"                                  \
         --local-configuration-path    "/var/opt/nginx/domains.conf"                           \
-        --configuration-template-sw-path "/etc/certificate-syncer/domain-with-sw.tmpl"        \
-        --configuration-template-no-sw-path "/etc/certificate-syncer/domain-without-sw.tmpl"  \
-        ${RAW_DOMAINS_PATH:+          --no-sw-domains-path       "${RAW_DOMAINS_PATH}"}       \
+        --configuration-template-path "/etc/certificate-syncer/domain.tmpl"                   \
         --domain-mappings-path        "/var/opt/nginx/domain_canister_mappings.js"            \
         --metrics-addr                "[::]:9322"                                             \
         ${POLLING_INTERVAL_SEC:+      --polling-interval-sec    "${POLLING_INTERVAL_SEC}"}    \
diff --git a/ic-os/boundary-guestos/rootfs/opt/ic/bin/bootstrap-ic-node.sh b/ic-os/boundary-guestos/rootfs/opt/ic/bin/bootstrap-ic-node.sh
index 7b19c27fca3..6553bea8703 100755
--- a/ic-os/boundary-guestos/rootfs/opt/ic/bin/bootstrap-ic-node.sh
+++ b/ic-os/boundary-guestos/rootfs/opt/ic/bin/bootstrap-ic-node.sh
@@ -71,7 +71,6 @@ function process_bootstrap() {
         nns.conf
         pre_isolation_canisters.txt
         prober_identity.pem
-        raw_domains.txt
     )
 
     for FILE in ${FILES[@]}; do
diff --git a/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-certificate-syncer.sh b/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-certificate-syncer.sh
index fb6f2f34056..4c7604a4c9d 100644
--- a/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-certificate-syncer.sh
+++ b/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-certificate-syncer.sh
@@ -5,11 +5,9 @@ source '/opt/ic/bin/helpers.shlib'
 source '/opt/ic/bin/exec_condition.shlib'
 
 readonly IDENTITY_PEM="${BOOT_DIR}/certificate_issuer_identity.pem"
-readonly RAW_DOMAINS="${BOOT_DIR}/raw_domains.txt"
 
 readonly RUN_DIR='/run/ic-node/etc/default'
 readonly ENV_FILE="${RUN_DIR}/certificate-syncer"
-readonly CFG_DIR='/run/ic-node/etc/certificate-syncer'
 readonly CONFIG_FILE="${BOOT_DIR}/certificate_syncer.conf"
 
 # Read the config variables. The files must be of the form
@@ -32,20 +30,10 @@ function read_variables() {
     fi
 }
 
-function copy_files() {
-    mkdir -p "${CFG_DIR}"
-
-    if [ -f "${RAW_DOMAINS}" ]; then
-        RAW_FILE_PATH="${CFG_DIR}/raw_domains.txt"
-        cp "${RAW_DOMAINS}" "${RAW_FILE_PATH}"
-    fi
-}
-
 function generate_config() {
     mkdir -p $(dirname "${ENV_FILE}")
 
     cat >"${ENV_FILE}" <<EOF
-RAW_DOMAINS_PATH=${RAW_FILE_PATH:-}
 POLLING_INTERVAL_SEC=${POLLING_INTERVAL_SEC:-}
 EOF
 }
@@ -58,7 +46,6 @@ function main() {
     fi
 
     read_variables
-    copy_files
     generate_config
 }
 
diff --git a/ic-os/boundary-guestos/scripts/build-deployment.sh b/ic-os/boundary-guestos/scripts/build-deployment.sh
index a0336b9aede..d9158d13c30 100755
--- a/ic-os/boundary-guestos/scripts/build-deployment.sh
+++ b/ic-os/boundary-guestos/scripts/build-deployment.sh
@@ -534,22 +534,6 @@ EOF
     done
 }
 
-function generate_certificate_syncer_config() {
-    if [ ! -z "${CERTIFICATE_SYNCER_RAW_DOMAINS_FILE}" ]; then
-        for n in $NODES; do
-            declare -n NODE=$n
-            if [[ "${NODE["type"]}" != "boundary" ]]; then
-                continue
-            fi
-
-            local SUBNET_IDX="${NODE["subnet_idx"]}"
-            local NODE_IDX="${NODE["node_idx"]}"
-            local NODE_PREFIX="${DEPLOYMENT}.${SUBNET_IDX}.${NODE_IDX}"
-            cp "${CERTIFICATE_SYNCER_RAW_DOMAINS_FILE}" "${CONFIG_DIR}/${NODE_PREFIX}/raw_domains.txt"
-        done
-    fi
-}
-
 function copy_pre_isolation_canisters() {
     if [[ -z "${PRE_ISOLATION_CANISTERS:-}" ]]; then
         err "pre-domain-isolation canisters have not been provided, proceeding without copying them"
@@ -685,7 +669,6 @@ function main() {
     copy_deny_list
     copy_geolite2_dbs
     generate_certificate_issuer_config
-    generate_certificate_syncer_config
     copy_pre_isolation_canisters
     copy_ip_hash_salt
     copy_logging_credentials
diff --git a/rs/boundary_node/certificate_issuance/certificate_syncer/src/main.rs b/rs/boundary_node/certificate_issuance/certificate_syncer/src/main.rs
index 2a8d5348565..1df13efeee7 100644
--- a/rs/boundary_node/certificate_issuance/certificate_syncer/src/main.rs
+++ b/rs/boundary_node/certificate_issuance/certificate_syncer/src/main.rs
@@ -1,6 +1,4 @@
 use std::{
-    fs::File,
-    io::{self, BufRead},
     net::SocketAddr,
     path::PathBuf,
     sync::{Arc, RwLock},
@@ -65,13 +63,7 @@ struct Cli {
     local_configuration_path: PathBuf,
 
     #[clap(long, default_value = "servers.conf.tmpl")]
-    configuration_template_sw_path: PathBuf,
-
-    #[clap(long, default_value = "servers.conf.tmpl")]
-    configuration_template_no_sw_path: PathBuf,
-
-    #[clap(long)]
-    no_sw_domains_path: Option<PathBuf>,
+    configuration_template_path: PathBuf,
 
     #[clap(long, default_value = "mappings.js")]
     domain_mappings_path: PathBuf,
@@ -135,27 +127,10 @@ async fn main() -> Result<(), Error> {
     let reloader = WithMetrics(reloader, MetricParams::new(&meter, SERVICE_NAME, "reload"));
 
     // Persistence
-    let configuration_template_sw = std::fs::read_to_string(&cli.configuration_template_sw_path)
-        .context("failed to read configuration template for using the service worker")?;
-
-    let configuration_template_no_sw =
-        std::fs::read_to_string(&cli.configuration_template_no_sw_path)
-            .context("failed to read configuration template for using icx-proxy")?;
-
-    let no_sw_domains: Vec<String> = match &cli.no_sw_domains_path {
-        Some(no_sw_domains_path) => {
-            let file = File::open(no_sw_domains_path)?;
-            let reader = io::BufReader::new(file);
-            reader.lines().map(|line| line.unwrap()).collect()
-        }
-        None => Vec::new(),
-    };
+    let configuration_template = std::fs::read_to_string(&cli.configuration_template_path)
+        .context("failed to read configuration template")?;
 
-    let renderer = Renderer::new(
-        &configuration_template_sw,
-        &configuration_template_no_sw,
-        no_sw_domains,
-    );
+    let renderer = Renderer::new(&configuration_template);
     let renderer = WithMetrics(renderer, MetricParams::new(&meter, SERVICE_NAME, "render"));
     let renderer = Arc::new(renderer);
 
diff --git a/rs/boundary_node/certificate_issuance/certificate_syncer/src/persist.rs b/rs/boundary_node/certificate_issuance/certificate_syncer/src/persist.rs
index da9ff848a6a..da4a9f3c1cb 100644
--- a/rs/boundary_node/certificate_issuance/certificate_syncer/src/persist.rs
+++ b/rs/boundary_node/certificate_issuance/certificate_syncer/src/persist.rs
@@ -282,11 +282,7 @@ mod tests {
 
         let tmp_dir = tempdir()?;
 
-        let renderer = Renderer::new(
-            "{name}|{ssl_certificate_key_path}|{ssl_certificate_path}",
-            "{name}|{ssl_certificate_key_path}|{ssl_certificate_path}",
-            vec!["X".to_string(), "Y".to_string(), "Z".to_string()],
-        );
+        let renderer = Renderer::new("{name}|{ssl_certificate_key_path}|{ssl_certificate_path}");
 
         let persister = Persister::new(
             Arc::new(renderer),              // renderer
diff --git a/rs/boundary_node/certificate_issuance/certificate_syncer/src/render.rs b/rs/boundary_node/certificate_issuance/certificate_syncer/src/render.rs
index 22fbac9e06e..44a83a8761f 100644
--- a/rs/boundary_node/certificate_issuance/certificate_syncer/src/render.rs
+++ b/rs/boundary_node/certificate_issuance/certificate_syncer/src/render.rs
@@ -18,32 +18,20 @@ pub trait Render: Sync + Send {
 }
 
 pub struct Renderer {
-    template_with_service_worker: String,
-    template_with_icx_proxy: String,
-    no_sw_domains: Vec<String>,
+    template: String,
 }
 
 impl Renderer {
-    pub fn new(
-        template_with_service_worker: &str,
-        template_with_icx_proxy: &str,
-        no_sw_domains: Vec<String>,
-    ) -> Self {
+    pub fn new(template: &str) -> Self {
         Self {
-            template_with_service_worker: template_with_service_worker.to_owned(),
-            template_with_icx_proxy: template_with_icx_proxy.to_owned(),
-            no_sw_domains: no_sw_domains.to_owned(),
+            template: template.to_owned(),
         }
     }
 }
 
 impl Render for Renderer {
     fn render(&self, cx: &Context) -> Result<String, Error> {
-        let out = if self.no_sw_domains.contains(&cx.name.to_string()) {
-            self.template_with_icx_proxy.clone()
-        } else {
-            self.template_with_service_worker.clone()
-        };
+        let out = self.template.clone();
         let out = out.replace("{name}", cx.name);
         let out = out.replace("{ssl_certificate_key_path}", cx.ssl_certificate_key_path);
         let out = out.replace("{ssl_certificate_path}", cx.ssl_certificate_path);
@@ -80,11 +68,7 @@ mod tests {
 
     #[test]
     fn test_render() {
-        let r = Renderer::new(
-            "{name}|{ssl_certificate_key_path}|{ssl_certificate_path}",
-            "{name}|{ssl_certificate_path}|{ssl_certificate_key_path}",
-            vec!["X".to_string(), "Y".to_string(), "Z".to_string()],
-        );
+        let r = Renderer::new("{name}|{ssl_certificate_key_path}|{ssl_certificate_path}");
 
         let out = r
             .render(&Context {
@@ -104,6 +88,6 @@ mod tests {
             })
             .expect("failed to render");
 
-        assert_eq!(out, "X|3|2");
+        assert_eq!(out, "X|2|3");
     }
 }