[cloud ingress] Remove slackin.* domains from certs in a safe, staged…

… way (stage 1). (#1609)

Summary: In order to prevent downtime while google reprovisions
certificates, we need to stage out the removal of the slackin domain
from the cloud managed certs. The goal being that there's always one
valid cert that doesn't need to be reprovisioned for every new release.
To achieve this, we stage it out into 3 stages:
1. Add a second cert without `slackin.*` domain, attach this cert to the
ingress in addition to our original cert.
2. After releasing stage 1, remove `slackin.*` from the main cert.
3. Finally, we can remove the additional cert we added.

Type of change: /kind cleanup

Test Plan: Tested each stage on `testing`. After each deploy testing
still had a valid cert even if one of the two was reprovisioning.

Signed-off-by: James Bartlett <[email protected]>

k8s/cloud/overlays/exposed_services_gclb/cloud_ingress.yaml

@@ -5,7 +5,7 @@ metadata:
   name: cloud-ingress
   annotations:
     networking.gke.io/v1beta1.FrontendConfig: "frontend-config"
-    networking.gke.io/managed-certificates: cloud-ingress-managed-cert
+    networking.gke.io/managed-certificates: cloud-ingress-managed-cert,cloud-ingress-managed-cert-noslackin
 spec:
   rules:
   - http:

k8s/cloud/prod/cloud_ingress_managed_cert.yaml

@@ -8,4 +8,5 @@ spec:
   - withpixie.ai
   - work.withpixie.ai
   - docs.withpixie.ai
+  - slackin.withpixie.ai
   - segment.withpixie.ai

k8s/cloud/prod/cloud_ingress_managed_cert_noslackin.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: networking.gke.io/v1
+kind: ManagedCertificate
+metadata:
+  name: cloud-ingress-managed-cert-noslackin
+spec:
+  domains:
+  - withpixie.ai
+  - work.withpixie.ai
+  - docs.withpixie.ai
+  - segment.withpixie.ai

k8s/cloud/prod/kustomization.yaml

@@ -22,6 +22,7 @@ replicas:
 resources:
 - frontend_config.yaml
 - cloud_ingress_managed_cert.yaml
+- cloud_ingress_managed_cert_noslackin.yaml
 - cloud_proxy_backend_config.yaml
 - vzconn_backend_config.yaml
 - ../base

k8s/cloud/staging/cloud_ingress_managed_cert.yaml

@@ -8,4 +8,5 @@ spec:
   - staging.withpixie.dev
   - work.staging.withpixie.dev
   - docs.staging.withpixie.dev
+  - slackin.staging.withpixie.dev
   - segment.staging.withpixie.dev

k8s/cloud/staging/cloud_ingress_managed_cert_noslackin.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: networking.gke.io/v1
+kind: ManagedCertificate
+metadata:
+  name: cloud-ingress-managed-cert-noslackin
+spec:
+  domains:
+  - staging.withpixie.dev
+  - work.staging.withpixie.dev
+  - docs.staging.withpixie.dev
+  - segment.staging.withpixie.dev

k8s/cloud/staging/kustomization.yaml

@@ -20,6 +20,7 @@ replicas:
 resources:
 - frontend_config.yaml
 - cloud_ingress_managed_cert.yaml
+- cloud_ingress_managed_cert_noslackin.yaml
 - cloud_proxy_backend_config.yaml
 - vzconn_backend_config.yaml
 - ../base

k8s/cloud/testing/cloud_ingress_managed_cert.yaml

@@ -8,3 +8,4 @@ spec:
   - testing.withpixie.dev
   - work.testing.withpixie.dev
   - docs.testing.withpixie.dev
+  - slackin.testing.withpixie.dev

k8s/cloud/testing/cloud_ingress_managed_cert_noslackin.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: networking.gke.io/v1
+kind: ManagedCertificate
+metadata:
+  name: cloud-ingress-managed-cert-noslackin
+spec:
+  domains:
+  - testing.withpixie.dev
+  - work.testing.withpixie.dev
+  - docs.testing.withpixie.dev

k8s/cloud/testing/kustomization.yaml

@@ -20,6 +20,7 @@ replicas:
 resources:
 - frontend_config.yaml
 - cloud_ingress_managed_cert.yaml
+- cloud_ingress_managed_cert_noslackin.yaml
 - cloud_proxy_backend_config.yaml
 - vzconn_backend_config.yaml
 - ../base