Workaround for /etc/pki/CA/certs/vnc.crt not present

When doing an upgrade to TLS Everywhere, vnc.crt is not always created by the time the getcert command exits (even though it is run with the -w flag). Puppet then ignores the instruction to change the file permissions, resulting in an error at a later stage, when podman tries to mount the file onto a container. Change-Id: I0e0009d57cd1c90f8ae28a2cfc9337ecf8c75112
2019-10-07 11:32:52 +02:00 · 2019-10-07 11:32:52 +02:00 · 2c241e3934
commit 2c241e3934
parent d9a94dd694
1 changed files with 14 additions and 1 deletions
--- a/manifests/certmonger/libvirt_vnc.pp
+++ b/manifests/certmonger/libvirt_vnc.pp
@ -81,8 +81,21 @@ define tripleo::certmonger::libvirt_vnc (
  }

  if $cacertfile {
+    # Sometimes certmonger returns before creating the cacert file. This has
+    # been reported in: https://bugzilla.redhat.com/show_bug.cgi?id=1759281
+    # Until this is fixed, add this workaround.
+    exec { $cacertfile :
+      require   => Certmonger_certificate[$name],
+      command   => "test -f ${cacertfile}",
+      unless    => "test -f ${cacertfile}",
+      tries     => 60,
+      try_sleep => 1,
+      timeout   => 60,
+      path      => '/usr/bin:/bin',
+    }
+
    file { $cacertfile :
-      require => Certmonger_certificate[$name],
+      require => Exec[$cacertfile],
      mode    => '0644'
    }
    ~> Service<| title == $notify_service_real |>