From 49728d24087ef5b3a07eba288bccbbc16f6717af Mon Sep 17 00:00:00 2001
From: Damien Ciabrini <dciabrin@redhat.com>
Date: Fri, 5 Mar 2021 13:26:45 +0100
Subject: [PATCH] HA: inject public certificates without blocking container

Do not inject public certificates in pacemaker bundles by means
of "podman cp", as this pauses the container for a short amount
of time and can make pacemaker operation fail during that time
window and impact cluster for no reason.

Keep "podman cp" for non-HA containers, as the freeze is short
and doesn't seem to impact podman monitoring anyway.

The new certificate injection only works for podman 1.9+, lower
version won't overwrite the existing certificate.

Adapted from Id7308f028f33716be5e3df6699c3f2c12e33e344, as the
same behaviour is implemented in puppet-tripleo before wallaby.

Change-Id: I14be16052677bf3426a88ec4b5299f9502007472
Related-Bug: #1917868
---
 files/certmonger-haproxy-refresh.sh  | 18 +++++++++++++-----
 files/certmonger-rabbitmq-refresh.sh | 23 +++++++++++++++++++++--
 2 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/files/certmonger-haproxy-refresh.sh b/files/certmonger-haproxy-refresh.sh
index 3e89cfef0..02b4a50cc 100644
--- a/files/certmonger-haproxy-refresh.sh
+++ b/files/certmonger-haproxy-refresh.sh
@@ -36,11 +36,19 @@ cat "$service_certificate" "$ca_path" "$service_key" > "$service_pem"
 haproxy_container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
 
 if [ "$ACTION" == "reload" ]; then
-    # Refresh the cert at the mount-point
-    $container_cli cp $service_pem "$haproxy_container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
-
-    # Copy the new cert from the mount-point to the real path
-    $container_cli exec "$haproxy_container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
+    # Inject the new certificate into the running container
+    if echo "$haproxy_container_name" | grep -q "^haproxy-bundle"; then
+        # lp#1917868: Do not use podman cp with HA containers as they get
+        # frozen temporarily and that can make pacemaker operation fail.
+        tar -c "$service_pem" | $container_cli exec -i "$haproxy_container_name" tar -C / -xv
+        # no need to update the mount point, because pacemaker
+        # recreates the container when it's restarted
+    else
+        # Refresh the pem at the mount-point
+        $container_cli cp $service_pem "$haproxy_container_name:/var/lib/kolla/config_files/src-tls${service_pem}"
+        # Copy the new pem from the mount-point to the real path
+        $container_cli exec "$haproxy_container_name" cp "/var/lib/kolla/config_files/src-tls${service_pem}" "$service_pem"
+    fi
 
     # Set appropriate permissions
     $container_cli exec "$haproxy_container_name" chown haproxy:haproxy "$service_pem"
diff --git a/files/certmonger-rabbitmq-refresh.sh b/files/certmonger-rabbitmq-refresh.sh
index fa72e6744..9130b76a8 100644
--- a/files/certmonger-rabbitmq-refresh.sh
+++ b/files/certmonger-rabbitmq-refresh.sh
@@ -5,13 +5,32 @@ container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli docker)
 
 container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
 
-service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::rabbitmq::service_certificate)"
+service_crt="$(hiera -c /etc/puppet/hiera.yaml tripleo::rabbitmq::service_certificate.service_certificate)"
+service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::rabbitmq::service_certificate.service_key)"
+
+if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
+  # lp#1917868: Do not use podman cp with HA containers as they get
+  # frozen temporarily and that can make pacemaker operation fail.
+  tar -c "$service_crt" "$service_key" | $container_cli exec -i "$container_name" tar -C / -xv
+  # no need to update the mount point, because pacemaker
+  # recreates the container when it's restarted
+else
+  # Refresh the cert at the mount-point
+  $container_cli cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
+  # Refresh the key at the mount-point
+  $container_cli cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
+  # Copy the new cert from the mount-point to the real path
+  $container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
+  # Copy the new key from the mount-point to the real path
+  $container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
+fi
 
 # Copy the new cert from the mount-point to the real path
 $container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
 
 # Set appropriate permissions
-$container_cli exec "$container_name" chown rabbitmq:rabbitmq "$service_pem"
+$container_cli exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
+$container_cli exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
 
 # Trigger a pem cache clear in RabbitMQ to read the new certificates
 $container_cli exec $container_name rabbitmqctl eval "ssl:clear_pem_cache()."