From 381a1e0a2b5fb3e4d2ba70e9d8542858a8d6bf30 Mon Sep 17 00:00:00 2001
From: Grzegorz Grasza <xek@redhat.com>
Date: Fri, 25 Jan 2019 18:16:01 +0100
Subject: [PATCH] novnc-proxy: Remove default post-save command for certmonger

The default command didn't work, so we need to fix that.

Related-Bug: #1811401
Needed-By: Idc0844c8726aa53bc4cbd55f902248f854d2464f
Change-Id: Ifacbee9e31d84be1008ab7545defac71cf65793f
(cherry picked from commit e6306badac719a7d89411df37f688cffd2fdb106)
---
 files/certmonger-novnc-proxy-refresh.sh | 17 +++++++++++++++++
 manifests/certmonger/novnc_proxy.pp     | 10 +++++++---
 2 files changed, 24 insertions(+), 3 deletions(-)
 create mode 100644 files/certmonger-novnc-proxy-refresh.sh

diff --git a/files/certmonger-novnc-proxy-refresh.sh b/files/certmonger-novnc-proxy-refresh.sh
new file mode 100644
index 000000000..cb932893b
--- /dev/null
+++ b/files/certmonger-novnc-proxy-refresh.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+
+container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli docker)
+
+container_name=$($container_cli ps --format="{{.Names}}" | grep nova_vnc_proxy)
+
+service_crt="$(hiera -c /etc/puppet/hiera.yaml nova::cert)"
+service_key="$(hiera -c /etc/puppet/hiera.yaml nova::key)"
+
+# Copy the new cert from the mount-point to the real path
+$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
+
+# Copy the new key from the mount-point to the real path
+$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
+
+# No need to trigger a reload for novnc proxy since the cert is not cached
diff --git a/manifests/certmonger/novnc_proxy.pp b/manifests/certmonger/novnc_proxy.pp
index b7d6e979b..42d44ce92 100644
--- a/manifests/certmonger/novnc_proxy.pp
+++ b/manifests/certmonger/novnc_proxy.pp
@@ -36,7 +36,6 @@
 #
 # [*postsave_cmd*]
 #   (Optional) Specifies the command to execute after requesting a certificate.
-#   If nothing is given, it will default to: "systemctl restart ${service name}"
 #   Defaults to undef.
 #
 # [*principal*]
@@ -61,7 +60,12 @@ class tripleo::certmonger::novnc_proxy (
 
   $notify_service_real = pick($notify_service, $::nova::params::vncproxy_service_name)
 
-  $postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::nova::params::vncproxy_service_name}")
+  ensure_resource('file', '/usr/bin/certmonger-novnc-proxy-refresh.sh', {
+    source  => 'puppet:///modules/tripleo/certmonger-novnc-proxy-refresh.sh',
+    mode    => '0700',
+    seltype => 'bin_t',
+    notify  => Service['certmonger']
+  })
 
   certmonger_certificate { 'novnc-proxy' :
     ensure       => 'present',
@@ -70,7 +74,7 @@ class tripleo::certmonger::novnc_proxy (
     hostname     => $hostname,
     dnsname      => $hostname,
     principal    => $principal,
-    postsave_cmd => $postsave_cmd_real,
+    postsave_cmd => $postsave_cmd,
     ca           => $certmonger_ca,
     wait         => true,
     tag          => 'novnc-proxy',