Fix a potential race condition with certs-ramfs

There is a potential race condition in the start order for the
amphora-agent service and the certs-ramfs service.
This patch configures an explict ordering for the services.

Change-Id: I8e449b19af72d72f6effd52e0a2debb5754a19b3
Story: 2006823
Task: 37396

elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.conf

@@ -1,6 +1,6 @@
 description "Start up the Octavia Amphora Agent"
 
-start on runlevel [2345]
+start on started certs-ramfs
 stop on runlevel [!2345]
 
 respawn

elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.init

@@ -1,6 +1,6 @@
 ### BEGIN INIT INFO
 # Provides:          amphora-agent
-# Required-Start:    $remote_fs $syslog $network
+# Required-Start:    $remote_fs $syslog $network certs-ramfs
 # Required-Stop:     $remote_fs $syslog $network
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6

elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.service

@@ -1,6 +1,7 @@
 [Unit]
 Description=OpenStack Octavia Amphora Agent
-After=network.target syslog.service
+After=network.target syslog.service certs-ramfs.service
+Requires=certs-ramfs.service
 Wants=syslog.service
 
 [Service]

elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service

@@ -1,5 +1,6 @@
 [Unit]
 Description=Creates an encrypted ramfs for Octavia certs
+Before=amphora-agent.service
 After=cloud-config.target
 
 [Service]

releasenotes/notes/fix-certs-ramfs-race-561f355d13fc6d14.yaml

@@ -0,0 +1,14 @@
+---
+upgrade:
+  - |
+    A new amphora image is required to fix the potential certs-ramfs race
+    condition.
+security:
+  - |
+    A race condition between the certs-ramfs and the amphora agent may lead
+    to tenant TLS content being stored on the amphora filesystem instead of
+    in the encrypted RAM filesystem.
+fixes:
+  - |
+    Fixed a potential race condition with the certs-ramfs and amphora agent
+    services.