Evenly distribute certificate renewal time (#255) (#259)

Dockerfile

@@ -28,7 +28,7 @@ RUN sh -c "wget -q https://github.com/jwilder/docker-gen/releases/download/$DOCK
     tar xzC /bin
 RUN wget -q https://raw.githubusercontent.com/diafygi/acme-tiny/$ACME_TINY_VERSION/acme_tiny.py -O /bin/acme_tiny
 
-RUN rm /etc/nginx/conf.d/default.conf
+RUN rm /etc/nginx/conf.d/default.conf /etc/crontab
 
 COPY ./fs_overlay /
 

fs_overlay/opt/certs_manager/certs_manager.rb

@@ -8,6 +8,8 @@ class CertsManager
 
   def setup
     add_dockerhost_to_hosts
+    ensure_crontab
+
     NAConfig.domains.each do |domain|
       if NAConfig.debug_mode?
         domain.print_debug_info
@@ -88,4 +90,18 @@ def with_lock(&block)
       yield(block)
     end
   end
+
+  def ensure_crontab
+    crontab = '/etc/crontab'
+
+    unless File.exist?(crontab)
+      File.open(crontab, 'w') do |file|
+        file.write compiled_crontab
+      end
+    end
+  end
+
+  def compiled_crontab
+    ERBBinding.new('/var/lib/crontab.erb', {}).compile
+  end
 end

fs_overlay/etc/crontab → fs_overlay/var/lib/crontab.erb

@@ -1,3 +1,8 @@
+# THIS FILE IS AUTO-GENERATED FROM /var/lib/crontab.erb ON FIRST RUN.
+# Certificate renewal is set to start at a random fractional second evenly
+# throughout the day on container creation, to avoid Let's Encrypt workload
+# peaks.
+#
 # /etc/crontab: system-wide crontab
 # Unlike any other crontab you don't have to run the `crontab'
 # command to install the new version when you edit this file
@@ -8,5 +13,5 @@ SHELL=/bin/sh
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
 # m h dom mon dow user  command
-42 7 * * * root  . /etc/cron_env.sh; /bin/renew_certs > /proc/$(cat /var/run/crond.pid)/fd/1 2>&1
+<%= rand 60 %> <%= rand 24 %> * * * root  . /etc/cron_env.sh; /bin/sleep <%= rand * 60 %>; /bin/renew_certs > /proc/$(cat /var/run/crond.pid)/fd/1 2>&1
 45 3 * * * root  . /etc/cron_env.sh; /usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.d/nginx -l /var/log/nginx/logrotate.log