Migrate kiwi deployment to colorado.edu domain

[steveellis]

It looks like the email settings for password reset etc have already been migrated to kiwi.

The steps for migrating from cublcta to colorado.edu the domain are:

• [x] Migrate email settings (if needed). The current settings can be seen in Settings > Developer > Okapi config entries. If these are equivalent between the two systems this step can be skipped.
• [x] Ensure that permissions have been assigned to staff user accounts that need them.
• [x] Add the current stack name (currently green for kiwi) to the array in the usesProdCerts array. Run pulumi up. This will apply the colorado.edu domain cert to the okapi kubernetes deployment. Applying this change should not cause the domain to stop working on the iris deployment since it is just a change to the kubernetes service's annotation for kiwi (which refers to the cert).
• [x] Secure the supertenant.
• [x] Run kubectl get services and get the aws service dns names (one for okapi and one for the non dev stripes container). The dev container services the cublcta.com cert and can be left alone. Give these services to campus it to migrate the DNS. Once the DNS propagates the domain will be migrated and password reset will work (which depends on the colorado.edu domain).

Downtime

If all goes smoothly I don't think there will be any downtime. When DNS propagates people will see kiwi rather than iris at folio.colorado.edu. They will need to do pw reset, but that's it. If I messed something up. then the downtime will be however long that takes to fix. But since we have done this before I'm pretty confident it will work.

Testing

If we would like to test password reset before migrating the DNS, this is possible by running the email-update-reset.sh script which will set the pw reset url to kiwi-cublcta.com, but this only would "test" reset for that domain, so its not that useful IMO.

[steveellis]

Applying this change should not cause the domain to stop working on the iris deployment since it is just a change to the kubernetes service's annotation for kiwi (which refers to the cert).

However it will cause the kiwi deployment to stop working since the cublcta cert will no longer be bound to okapi. So we should make sure we don't need to do anything else to kiwi via the UI before running this. If we have to, switching it back to the cublcta.com domain is easily done by removing green from the usesProdCerts array and running pulumi up again.