From 924bdc1fee7285ea9147ea92509f288688241789 Mon Sep 17 00:00:00 2001
From: Stanislaw Bogatkin <sbogatkin@mirantis.com>
Date: Tue, 20 Dec 2016 14:40:28 +0300
Subject: [PATCH] Add DNS name change opportunity

When change DNS hostname in TLS certificate for OpenStack endpoints,
make additional conditions to allow services use new certificate.

Change-Id: Ia2724eb397962f569b8360e684b599c472a891e2
Closes-Bug: #1649886
---
 .../cluster_haproxy/restart_haproxy.pp        | 15 +++++++++++
 .../modular/astute/generate_haproxy_keys.sh   |  8 ++----
 .../osnailyfacter/modular/astute/tasks.yaml   |  9 ++++---
 .../cluster-haproxy/restart-haproxy.pp        |  3 +++
 .../modular/cluster-haproxy/tasks.yaml        | 17 +++++++++++++
 .../modular/openstack-haproxy/tasks.yaml      |  2 +-
 .../cluster-haproxy/restart-haproxy_spec.rb   | 25 +++++++++++++++++++
 7 files changed, 69 insertions(+), 10 deletions(-)
 create mode 100644 deployment/puppet/osnailyfacter/manifests/cluster_haproxy/restart_haproxy.pp
 create mode 100644 deployment/puppet/osnailyfacter/modular/cluster-haproxy/restart-haproxy.pp
 create mode 100644 tests/noop/spec/hosts/cluster-haproxy/restart-haproxy_spec.rb

diff --git a/deployment/puppet/osnailyfacter/manifests/cluster_haproxy/restart_haproxy.pp b/deployment/puppet/osnailyfacter/manifests/cluster_haproxy/restart_haproxy.pp
new file mode 100644
index 0000000000..6dc3d62ba4
--- /dev/null
+++ b/deployment/puppet/osnailyfacter/manifests/cluster_haproxy/restart_haproxy.pp
@@ -0,0 +1,15 @@
+class osnailyfacter::cluster_haproxy::restart_haproxy {
+
+  notice('MODULAR: cluster_haproxy/restart_haproxy.pp')
+
+  notify { 'Haproxy service will be restarted': } ~>
+
+  service { 'haproxy' :
+      ensure     => 'running',
+      name       => 'p_haproxy',
+      provider   => 'pacemaker',
+      enable     => true,
+      hasstatus  => true,
+      hasrestart => true,
+  }
+}
diff --git a/deployment/puppet/osnailyfacter/modular/astute/generate_haproxy_keys.sh b/deployment/puppet/osnailyfacter/modular/astute/generate_haproxy_keys.sh
index 151e5cc927..b5fda1f601 100755
--- a/deployment/puppet/osnailyfacter/modular/astute/generate_haproxy_keys.sh
+++ b/deployment/puppet/osnailyfacter/modular/astute/generate_haproxy_keys.sh
@@ -22,12 +22,8 @@ generate_open_ssl_keys () {
       local key_path="$dir_path/public_$i.key"
       local crt_path="$dir_path/public_$i.crt"
       mkdir -p $dir_path
-      if [ ! -f $key_path ]; then
-        env SSL_CN_NAME="$cn_name" bash -c "openssl req -newkey rsa:2048 -nodes -keyout $key_path -x509 -days 3650 -out $crt_path -config $CONF_PATH/openssl.cnf -extensions v3_req 2>&1"
-        cat "$crt_path" "$key_path" > "$dir_path/public_$i.pem"
-      else
-        echo "Key $key_path already exists"
-      fi
+      env SSL_CN_NAME="$cn_name" bash -c "openssl req -newkey rsa:2048 -nodes -keyout $key_path -x509 -days 3650 -out $crt_path -config $CONF_PATH/openssl.cnf -extensions v3_req 2>&1"
+      cat "$crt_path" "$key_path" > "$dir_path/public_$i.pem"
     done
 }
 
diff --git a/deployment/puppet/osnailyfacter/modular/astute/tasks.yaml b/deployment/puppet/osnailyfacter/modular/astute/tasks.yaml
index a4ab33b35e..0d7093c651 100644
--- a/deployment/puppet/osnailyfacter/modular/astute/tasks.yaml
+++ b/deployment/puppet/osnailyfacter/modular/astute/tasks.yaml
@@ -243,7 +243,8 @@
   requires: [pre_deployment_start]
   condition:
     yaql_exp: &public_ssl >
-      (changedAny($.public_ssl.horizon, $.public_ssl.services)) and
+      (changedAny($.public_ssl.horizon, $.public_ssl.services,
+      $.public_ssl.hostname)) and
       ($.public_ssl.horizon or $.public_ssl.services) and
       $.public_ssl.cert_source = 'self_signed'
   required_for: [copy_haproxy_keys]
@@ -257,11 +258,13 @@
   role: ['/.*/']
   condition:
     yaql_exp: >
-      (((changedAny($.public_ssl.horizon, $.public_ssl.services)) and
+      (((changedAny($.public_ssl.horizon, $.public_ssl.services,
+      $.public_ssl.hostname)) and
           ($.public_ssl.horizon or $.public_ssl.services) and
           (not (old($.public_ssl.horizon) or old($.public_ssl.services)))) or
         (($.public_ssl.horizon or $.public_ssl.services) and
-          ($.uid in added($.network_metadata.nodes.values()).uid))) and
+          (($.uid in added($.network_metadata.nodes.values()).uid) or (
+          changed($.public_ssl.hostname))))) and
       $.public_ssl.cert_source = 'self_signed'
   required_for: [pre_deployment_end]
   requires: [generate_haproxy_keys]
diff --git a/deployment/puppet/osnailyfacter/modular/cluster-haproxy/restart-haproxy.pp b/deployment/puppet/osnailyfacter/modular/cluster-haproxy/restart-haproxy.pp
new file mode 100644
index 0000000000..1d0a10da84
--- /dev/null
+++ b/deployment/puppet/osnailyfacter/modular/cluster-haproxy/restart-haproxy.pp
@@ -0,0 +1,3 @@
+include ::osnailyfacter::cluster_haproxy::restart_haproxy
+include ::osnailyfacter::upgrade::restart_services
+include ::osnailyfacter::override_resources
diff --git a/deployment/puppet/osnailyfacter/modular/cluster-haproxy/tasks.yaml b/deployment/puppet/osnailyfacter/modular/cluster-haproxy/tasks.yaml
index 5d38d3e490..639407dec0 100644
--- a/deployment/puppet/osnailyfacter/modular/cluster-haproxy/tasks.yaml
+++ b/deployment/puppet/osnailyfacter/modular/cluster-haproxy/tasks.yaml
@@ -42,3 +42,20 @@
         yaql_exp: *haproxy_strategy
   test_post:
     cmd: ruby /etc/puppet/modules/osnailyfacter/modular/cluster-haproxy/cluster-haproxy_post.rb
+
+- id: restart-haproxy
+  type: puppet
+  version: 2.1.0
+  groups: [primary-controller, controller]
+  required_for: [deploy_end]
+  requires: [deploy_start, virtual_ips, cluster]
+  condition:
+    yaql_exp: 'changed($.public_ssl.hostname) and old($)'
+  parameters:
+    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/cluster-haproxy/restart-haproxy.pp
+    puppet_modules: /etc/puppet/modules
+    timeout: 120
+    strategy:
+      type: parallel
+      amount:
+        yaql_exp: *haproxy_strategy
diff --git a/deployment/puppet/osnailyfacter/modular/openstack-haproxy/tasks.yaml b/deployment/puppet/osnailyfacter/modular/openstack-haproxy/tasks.yaml
index c222e46ca8..3745747096 100644
--- a/deployment/puppet/osnailyfacter/modular/openstack-haproxy/tasks.yaml
+++ b/deployment/puppet/osnailyfacter/modular/openstack-haproxy/tasks.yaml
@@ -3,7 +3,7 @@
   version: 2.0.0
   groups: [primary-controller, controller]
   required_for: [deploy_end]
-  requires: [deploy_start, openstack-haproxy-ceilometer, openstack-haproxy-aodh, openstack-haproxy-cinder, openstack-haproxy-glance, openstack-haproxy-heat, openstack-haproxy-horizon, openstack-haproxy-keystone, openstack-haproxy-murano, openstack-haproxy-mysqld, openstack-haproxy-neutron, openstack-haproxy-nova, openstack-haproxy-radosgw, openstack-haproxy-sahara, openstack-haproxy-swift, openstack-haproxy-stats, openstack-haproxy-ironic]
+  requires: [deploy_start, openstack-haproxy-ceilometer, openstack-haproxy-aodh, openstack-haproxy-cinder, openstack-haproxy-glance, openstack-haproxy-heat, openstack-haproxy-horizon, openstack-haproxy-keystone, openstack-haproxy-murano, openstack-haproxy-mysqld, openstack-haproxy-neutron, openstack-haproxy-nova, openstack-haproxy-radosgw, openstack-haproxy-sahara, openstack-haproxy-swift, openstack-haproxy-stats, openstack-haproxy-ironic, restart-haproxy]
   parameters:
     puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/openstack-haproxy/openstack-haproxy.pp
     puppet_modules: /etc/puppet/modules
diff --git a/tests/noop/spec/hosts/cluster-haproxy/restart-haproxy_spec.rb b/tests/noop/spec/hosts/cluster-haproxy/restart-haproxy_spec.rb
new file mode 100644
index 0000000000..d70b496f7d
--- /dev/null
+++ b/tests/noop/spec/hosts/cluster-haproxy/restart-haproxy_spec.rb
@@ -0,0 +1,25 @@
+# ROLE: primary-controller
+# ROLE: controller
+
+require 'spec_helper'
+require 'shared-examples'
+manifest = 'cluster-haproxy/restart-haproxy.pp'
+
+describe manifest do
+
+  shared_examples 'catalog' do
+
+    it "should declare haproxy service with correct other_networks" do
+      expect(subject).to contain_service('haproxy').with(
+        'ensure'     => 'running',
+        'name'       => 'p_haproxy',
+        'provider'   => 'pacemaker',
+        'enable'     => 'true',
+        'hasstatus'  => 'true',
+        'hasrestart' => 'true',
+      )
+    end
+
+  end
+  test_ubuntu_and_centos manifest
+end