From d7f4c10fd93c4cc6b2b774ddac4db1536ed76119 Mon Sep 17 00:00:00 2001
From: Arjan H <github@hakwerk.com>
Date: Tue, 13 Jun 2023 18:46:42 +0200
Subject: [PATCH] Bump boulder version to release-2023-06-12

---
 build/build.sh                     |   2 +-
 build/tmp.patch                    |  13 ++--
 install                            |   2 +-
 patch-cfg.sh                       |   8 ++-
 patches/cmd_config.patch           |   4 +-
 patches/crl-storer_main.patch      |   4 +-
 patches/docker-compose-redis.patch |   6 +-
 patches/docker-compose.patch       |  10 +--
 patches/entrypoint.patch           |   8 ++-
 patches/ocsp-responder_main.patch  | 101 +++--------------------------
 10 files changed, 42 insertions(+), 116 deletions(-)

diff --git a/build/build.sh b/build/build.sh
index 36bb109..c913f79 100755
--- a/build/build.sh
+++ b/build/build.sh
@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}
 
 boulderDir=$TMP_DIR/src
-boulderTag="release-2023-05-22"
+boulderTag="release-2023-06-12"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..
 
diff --git a/build/tmp.patch b/build/tmp.patch
index 9c5a849..5fad0d4 100644
--- a/build/tmp.patch
+++ b/build/tmp.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 4fe5b4749..e70a007ef 100644
+index e63e560cd..676d94ada 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -1,8 +1,9 @@
@@ -38,10 +38,10 @@ index 4fe5b4749..e70a007ef 100644
      entrypoint: labca/entrypoint.sh
      working_dir: &boulder_working_dir /opt/boulder
      logging:
-@@ -74,30 +74,32 @@ services:
+@@ -74,8 +74,10 @@ services:
  
    bconsul:
-     image: hashicorp/consul:1.13.1
+     image: hashicorp/consul:1.14.2
 +    depends_on:
 +      - control
      volumes:
@@ -50,6 +50,10 @@ index 4fe5b4749..e70a007ef 100644
      networks:
        consulnet:
          ipv4_address: 10.55.55.10
+@@ -83,25 +85,24 @@ services:
+         ipv4_address: 10.77.77.10
+       rednet:
+         ipv4_address: 10.88.88.10
 -    command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
 +    command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl"
  
@@ -68,7 +72,6 @@ index 4fe5b4749..e70a007ef 100644
 +      - ldata:/opt/labca/data
 +      - nginx_html:/opt/wwwstatic
 +      - backup:/opt/backup
-+      #- .:/boulder
 +      - boulder_data:/opt/boulder/labca
      expose:
        - 3000
@@ -82,7 +85,7 @@ index 4fe5b4749..e70a007ef 100644
      logging:
        driver: "json-file"
        options:
-@@ -114,37 +116,45 @@ services:
+@@ -118,37 +119,45 @@ services:
        - 80:80
        - 443:443
      volumes:
diff --git a/install b/install
index 3f5726f..566dd34 100755
--- a/install
+++ b/install
@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"
 
 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2023-05-22"
+boulderTag="release-2023-06-12"
 
 # Feature flags
 flag_skip_redis=true
diff --git a/patch-cfg.sh b/patch-cfg.sh
index a081652..24b4281 100755
--- a/patch-cfg.sh
+++ b/patch-cfg.sh
@@ -55,11 +55,9 @@ sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/o
 sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-storer.json
 sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-updater.json
 sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json
-sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" issuer-ocsp-responder.json
-sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" cert-ceremonies/intermediate-ocsp-rsa.yaml
 sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" v2_integration.py
 sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/root-ceremony-rsa.yaml
-sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/intermediate-ocsp-rsa.yaml
+sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/root-crl-rsa.yaml
 sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/intermediate-ceremony-rsa.yaml
 sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" config/publisher.json
 sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" config/wfe2.json
@@ -79,6 +77,10 @@ sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/ra.json
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va.json
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-a.json
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-b.json
+sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/ca-a.json
+sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/ca-b.json
+sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-a.json
+sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-b.json
 
 if [ "$flag_skip_redis" == true ]; then
     sed -i -e "s/^\(.*wait-for-it.sh.*4218\)/#\1/" entrypoint.sh
diff --git a/patches/cmd_config.patch b/patches/cmd_config.patch
index 6147b92..c6823f4 100644
--- a/patches/cmd_config.patch
+++ b/patches/cmd_config.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/config.go b/cmd/config.go
-index 99ff43d02..a91f51d7d 100644
+index 18213cf51..a612afd18 100644
 --- a/cmd/config.go
 +++ b/cmd/config.go
-@@ -460,7 +460,7 @@ type GRPCServerConfig struct {
+@@ -464,7 +464,7 @@ type GRPCServerConfig struct {
  	// this controls how long it takes before a client learns about changes to its
  	// backends.
  	// https://pkg.go.dev/google.golang.org/grpc/keepalive#ServerParameters
diff --git a/patches/crl-storer_main.patch b/patches/crl-storer_main.patch
index 625555d..0c3f764 100644
--- a/patches/crl-storer_main.patch
+++ b/patches/crl-storer_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/crl-storer/main.go b/cmd/crl-storer/main.go
-index 1f75fc305..84bafea5f 100644
+index 073c62032..b59db781c 100644
 --- a/cmd/crl-storer/main.go
 +++ b/cmd/crl-storer/main.go
 @@ -46,6 +46,9 @@ type Config struct {
@@ -20,4 +20,4 @@ index 1f75fc305..84bafea5f 100644
 +	csi, err := storer.New(issuers, s3client, c.CRLStorer.S3Bucket, c.CRLStorer.LocalStorePath, scope, logger, clk)
  	cmd.FailOnError(err, "Failed to create CRLStorer impl")
  
- 	start, err := bgrpc.NewServer(c.CRLStorer.GRPC).Add(
+ 	start, err := bgrpc.NewServer(c.CRLStorer.GRPC, logger).Add(
diff --git a/patches/docker-compose-redis.patch b/patches/docker-compose-redis.patch
index e160918..fa81cef 100644
--- a/patches/docker-compose-redis.patch
+++ b/patches/docker-compose-redis.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 5eb8a5513..05d16611b 100644
+index 4b62cf28d..f2b242fb5 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -20,8 +20,6 @@ services:
@@ -43,9 +43,9 @@ index 5eb8a5513..05d16611b 100644
 -        ipv4_address: 10.33.33.3
 -
    bconsul:
-     image: hashicorp/consul:1.13.1
+     image: hashicorp/consul:1.14.2
      volumes:
-@@ -142,13 +120,6 @@ networks:
+@@ -146,13 +124,6 @@ networks:
        config:
          - subnet: 10.88.88.0/24
  
diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch
index e229f55..112d669 100644
--- a/patches/docker-compose.patch
+++ b/patches/docker-compose.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 05d16611b..4fe5b4749 100644
+index f2b242fb5..e63e560cd 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -8,10 +8,12 @@ services:
@@ -58,7 +58,7 @@ index 05d16611b..4fe5b4749 100644
      logging:
 -      driver: none
 -  bproxysql:
--    image: proxysql/proxysql:2.4.4
+-    image: proxysql/proxysql:2.5.2
 -    # The --initial flag force resets the ProxySQL database on startup. By
 -    # default, ProxySQL ignores new configuration if the database already
 -    # exists. Without this flag, new configuration wouldn't be applied until you
@@ -79,9 +79,9 @@ index 05d16611b..4fe5b4749 100644
 +    restart: always
  
    bconsul:
-     image: hashicorp/consul:1.13.1
-@@ -84,26 +81,70 @@ services:
-         ipv4_address: 10.55.55.10
+     image: hashicorp/consul:1.14.2
+@@ -88,26 +85,70 @@ services:
+         ipv4_address: 10.88.88.10
      command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
  
 -  netaccess:
diff --git a/patches/entrypoint.patch b/patches/entrypoint.patch
index 7ffda4d..c8859ea 100644
--- a/patches/entrypoint.patch
+++ b/patches/entrypoint.patch
@@ -2,7 +2,13 @@ diff --git a/test/entrypoint.sh b/test/entrypoint.sh
 index 5ca9929..f18e1d8 100755
 --- a/test/entrypoint.sh
 +++ b/test/entrypoint.sh
-@@ -16,6 +16,18 @@ wait_tcp_port boulder-mysql 3306
+@@ -13,12 +13,21 @@
+ # make sure we can reach the mysqldb.
+ ./test/wait-for-it.sh boulder-mysql 3306
+
+-# make sure we can reach the proxysql.
+-./test/wait-for-it.sh bproxysql 6032
+-
  # create the database
  MYSQL_CONTAINER=1 $DIR/create_db.sh
 
diff --git a/patches/ocsp-responder_main.patch b/patches/ocsp-responder_main.patch
index 78cbe39..ceacbcd 100644
--- a/patches/ocsp-responder_main.patch
+++ b/patches/ocsp-responder_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/ocsp-responder/main.go b/cmd/ocsp-responder/main.go
-index 39a0dac43..c7e0dc02d 100644
+index 52027e8cd..320a41917 100644
 --- a/cmd/ocsp-responder/main.go
 +++ b/cmd/ocsp-responder/main.go
 @@ -88,7 +88,7 @@ type Config struct {
@@ -11,97 +11,12 @@ index 39a0dac43..c7e0dc02d 100644
  
  		// TLS client certificate, private key, and trusted root bundle.
  		TLS cmd.TLSConfig `validate:"required_without=Source,structonly"`
-@@ -154,49 +154,51 @@ as generated by Boulder's ceremony command.
+@@ -153,7 +153,7 @@ as generated by Boulder's ceremony command.
+ 		}
  		source, err = responder.NewMemorySourceFromFile(filename, logger)
  		cmd.FailOnError(err, fmt.Sprintf("Couldn't read file: %s", url.Path))
- 	} else {
--		// Set up the redis source and the combined multiplex source.
--		rocspRWClient, err := rocsp_config.MakeClient(c.OCSPResponder.Redis, clk, scope)
--		cmd.FailOnError(err, "Could not make redis client")
--
--		err = rocspRWClient.Ping(context.Background())
--		cmd.FailOnError(err, "pinging Redis")
--
--		liveSigningPeriod := c.OCSPResponder.LiveSigningPeriod.Duration
--		if liveSigningPeriod == 0 {
--			liveSigningPeriod = 60 * time.Hour
--		}
--
--		tlsConfig, err := c.OCSPResponder.TLS.Load(scope)
--		cmd.FailOnError(err, "TLS config")
--
--		raConn, err := bgrpc.ClientSetup(c.OCSPResponder.RAService, tlsConfig, scope, clk)
--		cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
--		rac := rapb.NewRegistrationAuthorityClient(raConn)
--
--		maxInflight := c.OCSPResponder.MaxInflightSignings
--		if maxInflight == 0 {
--			maxInflight = 1000
-+		if c.OCSPResponder.Redis != nil {
-+			// Set up the redis source and the combined multiplex source.
-+			rocspRWClient, err := rocsp_config.MakeClient(c.OCSPResponder.Redis, clk, scope)
-+			cmd.FailOnError(err, "Could not make redis client")
-+
-+			err = rocspRWClient.Ping(context.Background())
-+			cmd.FailOnError(err, "pinging Redis")
-+
-+			liveSigningPeriod := c.OCSPResponder.LiveSigningPeriod.Duration
-+			if liveSigningPeriod == 0 {
-+				liveSigningPeriod = 60 * time.Hour
-+			}
-+
-+			tlsConfig, err := c.OCSPResponder.TLS.Load(scope)
-+			cmd.FailOnError(err, "TLS config")
-+
-+			raConn, err := bgrpc.ClientSetup(c.OCSPResponder.RAService, tlsConfig, scope, clk)
-+			cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
-+			rac := rapb.NewRegistrationAuthorityClient(raConn)
-+
-+			maxInflight := c.OCSPResponder.MaxInflightSignings
-+			if maxInflight == 0 {
-+				maxInflight = 1000
-+			}
-+			liveSource := live.New(rac, int64(maxInflight), c.OCSPResponder.MaxSigningWaiters)
-+
-+			rocspSource, err := redis_responder.NewRedisSource(rocspRWClient, liveSource, liveSigningPeriod, clk, scope, logger)
-+			cmd.FailOnError(err, "Could not create redis source")
-+
-+			var dbMap *db.WrappedMap
-+			if c.OCSPResponder.DB != (cmd.DBConfig{}) {
-+				dbMap, err = sa.InitWrappedDb(c.OCSPResponder.DB, scope, logger)
-+				cmd.FailOnError(err, "While initializing dbMap")
-+			}
-+
-+			var sac sapb.StorageAuthorityReadOnlyClient
-+			if c.OCSPResponder.SAService != nil {
-+				saConn, err := bgrpc.ClientSetup(c.OCSPResponder.SAService, tlsConfig, scope, clk)
-+				cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
-+				sac = sapb.NewStorageAuthorityReadOnlyClient(saConn)
-+			}
-+
-+			source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, scope, logger)
-+			cmd.FailOnError(err, "Could not create checkedRedis source")
- 		}
--		liveSource := live.New(rac, int64(maxInflight), c.OCSPResponder.MaxSigningWaiters)
--
--		rocspSource, err := redis_responder.NewRedisSource(rocspRWClient, liveSource, liveSigningPeriod, clk, scope, logger)
--		cmd.FailOnError(err, "Could not create redis source")
--
--		var dbMap *db.WrappedMap
--		if c.OCSPResponder.DB != (cmd.DBConfig{}) {
--			dbMap, err = sa.InitWrappedDb(c.OCSPResponder.DB, scope, logger)
--			cmd.FailOnError(err, "While initializing dbMap")
--		}
--
--		var sac sapb.StorageAuthorityReadOnlyClient
--		if c.OCSPResponder.SAService != nil {
--			saConn, err := bgrpc.ClientSetup(c.OCSPResponder.SAService, tlsConfig, scope, clk)
--			cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
--			sac = sapb.NewStorageAuthorityReadOnlyClient(saConn)
--		}
--
--		source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, scope, logger)
--		cmd.FailOnError(err, "Could not create checkedRedis source")
- 
- 		// Load the certificate from the file path.
- 		issuerCerts := make([]*issuance.Certificate, len(c.OCSPResponder.IssuerCerts))
+-	} else {
++	} else if c.OCSPResponder.Redis != nil {
+ 		// Set up the redis source and the combined multiplex source.
+ 		rocspRWClient, err := rocsp_config.MakeClient(c.OCSPResponder.Redis, clk, scope)
+ 		cmd.FailOnError(err, "Could not make redis client")