Merge "[train-only] Fix certmonger novnc_proxy key files data race" into stable/train

This commit is contained in:
Zuul 2022-05-27 10:02:52 +00:00 committed by Gerrit Code Review
commit 0c3e0820bf
2 changed files with 33 additions and 11 deletions

View File

@ -127,8 +127,8 @@ define tripleo::certmonger::libvirt_vnc (
timeout => 60, timeout => 60,
path => '/usr/bin:/bin', path => '/usr/bin:/bin',
} }
-> exec { "Change permissions and owner of ${service_key}": -> exec { "Change permissions and owner of ${service_key} and ${service_certificate}":
command => "chgrp qemu ${service_key} && chmod 0640 ${service_key}", command => "chgrp qemu ${service_key} && chmod 0640 ${service_key} && chgrp qemu ${service_certificate} && chmod 0640 ${service_certificate}", # lint:ignore:140chars
refreshonly => true, refreshonly => true,
path => '/usr/bin:/bin', path => '/usr/bin:/bin',
} }
@ -138,7 +138,7 @@ define tripleo::certmonger::libvirt_vnc (
mode => '0644' mode => '0644'
} }
Certmonger_certificate[$name] ~> Exec["Change permissions and owner of ${service_key}"] Certmonger_certificate[$name] ~> Exec["Change permissions and owner of ${service_key} and ${service_certificate}"]
Exec["Purge ${service_certificate}"] -> File[$service_certificate] ~> Service<| title == $notify_service_real |> Exec["Purge ${service_certificate}"] -> File[$service_certificate] ~> Service<| title == $notify_service_real |>
File[$service_key] ~> Service<| title == $notify_service_real |> File[$service_key] ~> Service<| title == $notify_service_real |>
} }

View File

@ -71,7 +71,17 @@ class tripleo::certmonger::novnc_proxy (
notify => Service['certmonger'] notify => Service['certmonger']
}) })
certmonger_certificate { 'novnc-proxy' : file { $service_key :
group => 'qemu',
mode => '0640',
audit => [content],
}
~> exec { "Purge ${service_certificate}" :
command => "rm -f ${service_certificate}",
refreshonly => true,
path => '/usr/bin:/bin',
}
-> certmonger_certificate { 'novnc-proxy' :
ensure => 'present', ensure => 'present',
certfile => $service_certificate, certfile => $service_certificate,
keyfile => $service_key, keyfile => $service_key,
@ -87,15 +97,27 @@ class tripleo::certmonger::novnc_proxy (
subscribe => File[$service_key], subscribe => File[$service_key],
} }
file { $service_certificate : exec { $service_certificate :
require => Certmonger_certificate['novnc-proxy'], require => Certmonger_certificate['novnc-proxy'],
mode => '0644' command => "test -f ${service_certificate}",
unless => "test -f ${service_certificate}",
tries => 60,
try_sleep => 1,
timeout => 60,
path => '/usr/bin:/bin',
} }
file { $service_key : -> exec { "Change permissions and owner of ${service_key} and ${service_certificate}":
mode => '0640', command => "chgrp qemu ${service_key} && chmod 0640 ${service_key} && chgrp qemu ${service_certificate} && chmod 0640 ${service_certificate}", # lint:ignore:140chars
audit => [content], refreshonly => true,
path => '/usr/bin:/bin',
} }
File[$service_certificate] ~> Service<| title == $notify_service_real |> file { $service_certificate :
group => 'qemu',
mode => '0644'
}
Certmonger_certificate['novnc-proxy'] ~> Exec["Change permissions and owner of ${service_key} and ${service_certificate}"]
Exec["Purge ${service_certificate}"] -> File[$service_certificate] ~> Service<| title == $notify_service_real |>
File[$service_key] ~> Service<| title == $notify_service_real |> File[$service_key] ~> Service<| title == $notify_service_real |>
} }