Certificate changes should restart services
Certificate changes or path changes in octavia::certificate should notify the octavia::service::begin anchor so that services are refreshed otherwise for example octavia-worker will not use a new certificate. Change-Id: Ie03cfedccc6a675976688a944b1ee91a0a9f55f1
This commit is contained in:
Tobias Urdin
@@ -113,7 +113,8 @@ class octavia::certificates (
|
|||||||
ensure => directory,
|
ensure => directory,
|
||||||
owner => $file_permission_owner,
|
owner => $file_permission_owner,
|
||||||
group => $file_permission_group,
|
group => $file_permission_group,
|
||||||
mode => '0755'
|
mode => '0755',
|
||||||
|
tag => 'octavia-certificate',
|
||||||
})
|
})
|
||||||
file { $ca_certificate:
|
file { $ca_certificate:
|
||||||
ensure => file,
|
ensure => file,
|
||||||
@@ -121,7 +122,8 @@ class octavia::certificates (
|
|||||||
group => $file_permission_owner,
|
group => $file_permission_owner,
|
||||||
owner => $file_permission_group,
|
owner => $file_permission_group,
|
||||||
mode => '0755',
|
mode => '0755',
|
||||||
replace => true
|
replace => true,
|
||||||
|
tag => 'octavia-certificate',
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if $ca_private_key_data {
|
if $ca_private_key_data {
|
||||||
@@ -132,7 +134,8 @@ class octavia::certificates (
|
|||||||
ensure => directory,
|
ensure => directory,
|
||||||
owner => $file_permission_owner,
|
owner => $file_permission_owner,
|
||||||
group => $file_permission_group,
|
group => $file_permission_group,
|
||||||
mode => '0755'
|
mode => '0755',
|
||||||
|
tag => 'octavia-certificate',
|
||||||
})
|
})
|
||||||
file { $ca_private_key:
|
file { $ca_private_key:
|
||||||
ensure => file,
|
ensure => file,
|
||||||
@@ -140,7 +143,8 @@ class octavia::certificates (
|
|||||||
group => $file_permission_owner,
|
group => $file_permission_owner,
|
||||||
owner => $file_permission_group,
|
owner => $file_permission_group,
|
||||||
mode => '0755',
|
mode => '0755',
|
||||||
replace => true
|
replace => true,
|
||||||
|
tag => 'octavia-certificate',
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if $client_ca and $client_ca_data {
|
if $client_ca and $client_ca_data {
|
||||||
@@ -148,7 +152,8 @@ class octavia::certificates (
|
|||||||
ensure => directory,
|
ensure => directory,
|
||||||
owner => $file_permission_owner,
|
owner => $file_permission_owner,
|
||||||
group => $file_permission_group,
|
group => $file_permission_group,
|
||||||
mode => '0755'
|
mode => '0755',
|
||||||
|
tag => 'octavia-certificate',
|
||||||
})
|
})
|
||||||
file { $client_ca:
|
file { $client_ca:
|
||||||
ensure => file,
|
ensure => file,
|
||||||
@@ -156,7 +161,8 @@ class octavia::certificates (
|
|||||||
group => $file_permission_owner,
|
group => $file_permission_owner,
|
||||||
owner => $file_permission_group,
|
owner => $file_permission_group,
|
||||||
mode => '0755',
|
mode => '0755',
|
||||||
replace => true
|
replace => true,
|
||||||
|
tag => 'octavia-certificate',
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if $client_cert_data {
|
if $client_cert_data {
|
||||||
@@ -167,7 +173,8 @@ class octavia::certificates (
|
|||||||
ensure => directory,
|
ensure => directory,
|
||||||
owner => $file_permission_owner,
|
owner => $file_permission_owner,
|
||||||
group => $file_permission_group,
|
group => $file_permission_group,
|
||||||
mode => '0755'
|
mode => '0755',
|
||||||
|
tag => 'octavia-certificate',
|
||||||
})
|
})
|
||||||
file { $client_cert:
|
file { $client_cert:
|
||||||
ensure => file,
|
ensure => file,
|
||||||
@@ -175,7 +182,8 @@ class octavia::certificates (
|
|||||||
group => $file_permission_owner,
|
group => $file_permission_owner,
|
||||||
owner => $file_permission_group,
|
owner => $file_permission_group,
|
||||||
mode => '0755',
|
mode => '0755',
|
||||||
replace => true
|
replace => true,
|
||||||
|
tag => 'octavia-certificate',
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -36,4 +36,7 @@ class octavia::deps {
|
|||||||
# Installation or config changes will always restart services.
|
# Installation or config changes will always restart services.
|
||||||
Anchor['octavia::install::end'] ~> Anchor['octavia::service::begin']
|
Anchor['octavia::install::end'] ~> Anchor['octavia::service::begin']
|
||||||
Anchor['octavia::config::end'] ~> Anchor['octavia::service::begin']
|
Anchor['octavia::config::end'] ~> Anchor['octavia::service::begin']
|
||||||
|
|
||||||
|
# Changes in certificate or folders will restart services.
|
||||||
|
File<| tag == 'octavia-certificate' |> ~> Anchor['octavia::service::begin']
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
When certificate data or file paths change in octavia::certificates it will
|
||||||
|
not cause a restart of the Octavia services so that for example the
|
||||||
|
octavia-worker service can use the new certificates.
|
||||||
@@ -81,27 +81,40 @@ describe 'octavia::certificates' do
|
|||||||
'owner' => 'octavia',
|
'owner' => 'octavia',
|
||||||
'group' => 'octavia',
|
'group' => 'octavia',
|
||||||
'mode' => '0755',
|
'mode' => '0755',
|
||||||
|
'tag' => 'octavia-certificate',
|
||||||
|
})
|
||||||
|
is_expected.to contain_file('/etc/octavia/ca.pem').with({
|
||||||
|
'content' => 'on_my_authority_this_is_a_certificate',
|
||||||
|
'tag' => 'octavia-certificate',
|
||||||
})
|
})
|
||||||
is_expected.to contain_file('/etc/octavia/ca.pem').with_content('on_my_authority_this_is_a_certificate')
|
|
||||||
is_expected.to contain_file('/etc/octavia/key.pem').with({
|
is_expected.to contain_file('/etc/octavia/key.pem').with({
|
||||||
'ensure' => 'file',
|
'ensure' => 'file',
|
||||||
'owner' => 'octavia',
|
'owner' => 'octavia',
|
||||||
'group' => 'octavia',
|
'group' => 'octavia',
|
||||||
'mode' => '0755',
|
'mode' => '0755',
|
||||||
|
'tag' => 'octavia-certificate',
|
||||||
|
})
|
||||||
|
is_expected.to contain_file('/etc/octavia/key.pem').with({
|
||||||
|
'content' => 'this_is_my_private_key_woot_woot',
|
||||||
|
'tag' => 'octavia-certificate',
|
||||||
})
|
})
|
||||||
is_expected.to contain_file('/etc/octavia/key.pem').with_content('this_is_my_private_key_woot_woot')
|
|
||||||
is_expected.to contain_file('/etc/octavia/client.pem').with({
|
is_expected.to contain_file('/etc/octavia/client.pem').with({
|
||||||
'ensure' => 'file',
|
'ensure' => 'file',
|
||||||
'owner' => 'octavia',
|
'owner' => 'octavia',
|
||||||
'group' => 'octavia',
|
'group' => 'octavia',
|
||||||
'mode' => '0755',
|
'mode' => '0755',
|
||||||
|
'tag' => 'octavia-certificate',
|
||||||
|
})
|
||||||
|
is_expected.to contain_file('/etc/octavia/client.pem').with({
|
||||||
|
'content' => 'certainly_for_the_client',
|
||||||
|
'tag' => 'octavia-certificate',
|
||||||
})
|
})
|
||||||
is_expected.to contain_file('/etc/octavia/client.pem').with_content('certainly_for_the_client')
|
|
||||||
is_expected.to contain_file('/etc/octavia').with({
|
is_expected.to contain_file('/etc/octavia').with({
|
||||||
'ensure' => 'directory',
|
'ensure' => 'directory',
|
||||||
'owner' => 'octavia',
|
'owner' => 'octavia',
|
||||||
'group' => 'octavia',
|
'group' => 'octavia',
|
||||||
'mode' => '0755',
|
'mode' => '0755',
|
||||||
|
'tag' => 'octavia-certificate',
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|||||||
Reference in New Issue
Block a user