Automate the certificate renewal process whenever a new deploy is run.

[JamesXNelson]

The branch https://github.com/JamesXNelson/deephaven-core/tree/jxn/demo_refactored has code to easily issue new lets encrypt certificates and update the kubernetes secret feeding the demo site.

We should teach the regular deploy process to check the expiry of the cert, and if it has a month or less left, we should renew it automatically.

This must be done by March 22, 2022, or at least, we will need to manually update the cert using the aforementioned branch by running:

# Mess below is "make sure you are working against the correct kubernetes cluster
CLUSTER_NAME="${CLUSTER_NAME:-dhce-auto}"
PROJECT_ID="${PROJECT_ID:-deephaven-oss}"
ZONE="${ZONE:-us-central1}"
K8S_CONTEXT="gke_${PROJECT_ID}_${ZONE}_${CLUSTER_NAME}"
mkdir -p "$HOME/.kube"
export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/config}"
gcloud container clusters get-credentials "${CLUSTER_NAME}" \
    --zone "${ZONE}" \
    --project "${PROJECT_ID}" \
    --verbosity debug
kubectl config use-context "${K8S_CONTEXT}"

# Push our docker images. Pushes more than we technically need, but it makes this code much simpler
./gradlew :demo:pushAll

# Rerun the kubernetes Job to update the cert
cd demo/certs
kubectl delete -f ./cert-wildcard-job.yaml
kubectl apply -f ./cert-wildcard-job.yaml

# Wait for logs, and read them to make sure everything went well
while ! kubectl logs -f $(k get po | grep cert-wildcard-job | awk '{print $1}'); do sleep 1 ; done

# Redeploy demo site
./gradlew deployDemo

# Check that the new demo controller is functioning by visiting it's url, then promote it to the "leader" DNS record for demo.deephaven.app 

Once this is automated (get the secret, check expiry, run above code in a gradle task a few weeks before expiration), then we'll get free renewal on certs during regular deployments.