Ensure that the HAProxy certificate is updated

While doing research for this bugzilla[1] I found that since the actual certificate PEM file is being bind mounted the mount is acting as a hard link to the inode of the PEM rather than just a pointer to it's location in the directory. When the new file is copied over the inode is updated but the container still maintains a link to the stale inode. This patch copies the contents of the certificate into the container so that the HUP of HAProxy will reload the certificate. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1765839 Change-Id: Idf106c9ffa23ed00c497e1e5014e1b5718254320 Closes-Bug: 1871663 (cherry picked from commit 93c6bffb3b)
2020-04-24 10:27:06 -05:00 · 2020-04-24 10:27:06 -05:00 · 3b5b944048
parent cae687c599
commit 3b5b944048
1 changed files with 3 additions and 0 deletions
--- a/files/certmonger-haproxy-refresh.sh
+++ b/files/certmonger-haproxy-refresh.sh
@ -36,6 +36,9 @@ cat "$service_certificate" "$ca_path" "$service_key" > "$service_pem"
 haproxy_container_name=$($container_cli ps --format="{{.Names}}" | grep haproxy)

 if [ "$ACTION" == "reload" ]; then
+    # Refresh the cert at the mount-point
+    $container_cli cp $service_pem "$haproxy_container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
+
    # Copy the new cert from the mount-point to the real path
    $container_cli exec "$haproxy_container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"