Renew Let's Encrypt certificates

Add index for pages domain ssl auto renewal
Add PagesDomain.needs_ssl_renewal scope
Add cron worker for ssl renewal
Add worker for ssl renewal
Add pages ssl renewal worker queues settings

4 files changed, 41 insertions, 0 deletions

diff --git a/app/models/pages_domain.rb b/app/models/pages_domain.rb
index 07195c0bfd3..d6d879c6d89 100644
--- a/app/models/pages_domain.rb
+++ b/app/models/pages_domain.rb
@@ -3,6 +3,7 @@
 class PagesDomain < ApplicationRecord
   VERIFICATION_KEY = 'gitlab-pages-verification-code'.freeze
   VERIFICATION_THRESHOLD = 3.days.freeze
+  SSL_RENEWAL_THRESHOLD = 30.days.freeze
 
   enum certificate_source: { user_provided: 0, gitlab_provided: 1 }, _prefix: :certificate
 
@@ -41,6 +42,15 @@ class PagesDomain < ApplicationRecord
     where(verified_at.eq(nil).or(enabled_until.eq(nil).or(enabled_until.lt(threshold))))
   end
 
+  scope :need_auto_ssl_renewal, -> do
+    expiring = where(certificate_valid_not_after: nil).or(
+      where(arel_table[:certificate_valid_not_after].lt(SSL_RENEWAL_THRESHOLD.from_now)))
+
+    user_provided_or_expiring = certificate_user_provided.or(expiring)
+
+    where(auto_ssl_enabled: true).merge(user_provided_or_expiring)
+  end
+
   scope :for_removal, -> { where("remove_at < ?", Time.now) }
 
   def verified?
diff --git a/app/workers/all_queues.yml b/app/workers/all_queues.yml
index fd0cc5fb24e..e55962b629e 100644
--- a/app/workers/all_queues.yml
+++ b/app/workers/all_queues.yml
@@ -9,6 +9,7 @@
 - cronjob:import_export_project_cleanup
 - cronjob:pages_domain_verification_cron
 - cronjob:pages_domain_removal_cron
+- cronjob:pages_domain_ssl_renewal_cron
 - cronjob:pipeline_schedule
 - cronjob:prune_old_events
 - cronjob:remove_expired_group_links
@@ -133,6 +134,7 @@
 - new_note
 - pages
 - pages_domain_verification
+- pages_domain_ssl_renewal
 - plugin
 - post_receive
 - process_commit
diff --git a/app/workers/pages_domain_ssl_renewal_cron_worker.rb b/app/workers/pages_domain_ssl_renewal_cron_worker.rb
new file mode 100644
index 00000000000..4ca9db922b4
--- /dev/null
+++ b/app/workers/pages_domain_ssl_renewal_cron_worker.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+class PagesDomainSslRenewalCronWorker
+  include ApplicationWorker
+  include CronjobQueue
+
+  def perform
+    return unless ::Gitlab::LetsEncrypt::Client.new.enabled?
+
+    PagesDomain.need_auto_ssl_renewal.find_each do |domain|
+      PagesDomainSslRenewalWorker.perform_async(domain.id)
+    end
+  end
+end
diff --git a/app/workers/pages_domain_ssl_renewal_worker.rb b/app/workers/pages_domain_ssl_renewal_worker.rb
new file mode 100644
index 00000000000..00c9c4782d8
--- /dev/null
+++ b/app/workers/pages_domain_ssl_renewal_worker.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class PagesDomainSslRenewalWorker
+  include ApplicationWorker
+
+  def perform(domain_id)
+    return unless ::Gitlab::LetsEncrypt::Client.new.enabled?
+
+    domain = PagesDomain.find_by_id(domain_id)
+
+    return unless domain
+
+    ::PagesDomains::ObtainLetsEncryptCertificateService.new(domain).execute
+  end
+end