cmd/coordinator,cmd/gerritbot: use HTTP/2 between LB and app

Also disassociate LE certs we don't need any more.

For golang/go#49191.

Change-Id: I74acf2f2f52fbf91670d27d91112136450f81944
Reviewed-on: https://go-review.googlesource.com/c/build/+/359479
Trust: Heschi Kreinick <heschi@google.com>
Run-TryBot: Heschi Kreinick <heschi@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>

cmd/coordinator/deployment-prod.yaml

@@ -20,10 +20,11 @@ spec:
       - name: coordinator
         image: gcr.io/symbolic-datum-552/coordinator:latest
         imagePullPolicy: Always
-        command: ["/coordinator", "-listen-http=:80", "-listen-https-autocert=:443", "-autocert-bucket=farmer-golang-org-autocert-cache"]
+        command: ["/coordinator", "-listen-http=:80", "-listen-https-autocert=:443", "-autocert-bucket=farmer-golang-org-autocert-cache", "-listen-https-selfsigned=:444"]
         ports:
         - containerPort: 80
         - containerPort: 443
+        - containerPort: 444
         - containerPort: 2222 # ssh proxy port
         - containerPort: 8123 # module proxy port (internal, not accessible directly from public)
         resources:
@@ -58,11 +59,16 @@ kind: Service
 metadata:
   namespace: prod
   name: coordinator-internal
+  annotations:
+    cloud.google.com/app-protocols: '{"https":"HTTP2"}'
 spec:
   ports:
     - port: 80
       targetPort: 80
       name: http
+    - port: 444
+      targetPort: 444
+      name: https
   selector:
     app: coordinator
   type: ClusterIP

cmd/gerritbot/deployment-prod.yaml

@@ -21,7 +21,7 @@ spec:
       - name: gerritbot
         image: gcr.io/symbolic-datum-552/gerritbot:latest
         imagePullPolicy: Always
-        command: ["/sbin/tini", "--", "/gerritbot", "-listen-http=:80", "-listen-https-autocert=:443", "-autocert-bucket=golang-gerritbot-autocert", "-gitcookies-file=/gitcookies"]
+        command: ["/sbin/tini", "--", "/gerritbot", "-listen-http=:80", "-listen-https-autocert=:443", "-autocert-bucket=golang-gerritbot-autocert", "-listen-https-selfsigned=:444", "-gitcookies-file=/gitcookies"]
         ports:
         - containerPort: 80
         - containerPort: 443
@@ -57,11 +57,16 @@ kind: Service
 metadata:
   namespace: prod
   name: gerritbot-internal
+  annotations:
+    cloud.google.com/app-protocols: '{"https":"HTTP2"}'
 spec:
   ports:
     - port: 80
       targetPort: 80
       name: http
+    - port: 444
+      targetPort: 444
+      name: https
   selector:
     app: gerritbot
   type: ClusterIP

deploy/build-ingress.yaml

@@ -6,8 +6,6 @@ metadata:
   annotations:
     kubernetes.io/ingress.global-static-ip-name: ingress
     networking.gke.io/managed-certificates: dev-test-cert,build-cert,dev-cert,gerritbot-cert,maintner-cert
-    # Legacy Let's Encrypt certs.
-    ingress.gcp.kubernetes.io/pre-shared-cert: build-golang-org,build-golang-org-rsa,dev-golang-org,dev-golang-org-rsa,gerritbot-golang-org,gerritbot-golang-org-rsa,maintner-golang-org,maintner-golang-org-rsa
     kubernetes.io/ingress.class: "gce"
     networking.gke.io/v1beta1.FrontendConfig: build-ingress-frontend
 spec:
@@ -38,7 +36,7 @@ spec:
           service:
             name: coordinator-internal
             port:
-              number: 80
+              number: 444
   - host: dev.golang.org
     http:
       paths:
@@ -58,7 +56,7 @@ spec:
           service:
             name: gerritbot-internal
             port:
-              number: 80
+              number: 444
   - host: maintner.golang.org
     http:
       paths: