Merge "HA: inject public certificates without blocking container" into stable/train
This commit is contained in:
commit
44b64a167b
@ -36,11 +36,19 @@ cat "$service_certificate" "$ca_path" "$service_key" > "$service_pem"
|
||||
haproxy_container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
|
||||
|
||||
if [ "$ACTION" == "reload" ]; then
|
||||
# Refresh the cert at the mount-point
|
||||
$container_cli cp $service_pem "$haproxy_container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
|
||||
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
$container_cli exec "$haproxy_container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
|
||||
# Inject the new certificate into the running container
|
||||
if echo "$haproxy_container_name" | grep -q "^haproxy-bundle"; then
|
||||
# lp#1917868: Do not use podman cp with HA containers as they get
|
||||
# frozen temporarily and that can make pacemaker operation fail.
|
||||
tar -c "$service_pem" | $container_cli exec -i "$haproxy_container_name" tar -C / -xv
|
||||
# no need to update the mount point, because pacemaker
|
||||
# recreates the container when it's restarted
|
||||
else
|
||||
# Refresh the pem at the mount-point
|
||||
$container_cli cp $service_pem "$haproxy_container_name:/var/lib/kolla/config_files/src-tls${service_pem}"
|
||||
# Copy the new pem from the mount-point to the real path
|
||||
$container_cli exec "$haproxy_container_name" cp "/var/lib/kolla/config_files/src-tls${service_pem}" "$service_pem"
|
||||
fi
|
||||
|
||||
# Set appropriate permissions
|
||||
$container_cli exec "$haproxy_container_name" chown haproxy:haproxy "$service_pem"
|
||||
|
@ -5,13 +5,32 @@ container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli docker)
|
||||
|
||||
container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
||||
|
||||
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::rabbitmq::service_certificate)"
|
||||
service_crt="$(hiera -c /etc/puppet/hiera.yaml tripleo::rabbitmq::service_certificate.service_certificate)"
|
||||
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::rabbitmq::service_certificate.service_key)"
|
||||
|
||||
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
||||
# lp#1917868: Do not use podman cp with HA containers as they get
|
||||
# frozen temporarily and that can make pacemaker operation fail.
|
||||
tar -c "$service_crt" "$service_key" | $container_cli exec -i "$container_name" tar -C / -xv
|
||||
# no need to update the mount point, because pacemaker
|
||||
# recreates the container when it's restarted
|
||||
else
|
||||
# Refresh the cert at the mount-point
|
||||
$container_cli cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
||||
# Refresh the key at the mount-point
|
||||
$container_cli cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
fi
|
||||
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
|
||||
|
||||
# Set appropriate permissions
|
||||
$container_cli exec "$container_name" chown rabbitmq:rabbitmq "$service_pem"
|
||||
$container_cli exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
||||
$container_cli exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
||||
|
||||
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
||||
$container_cli exec $container_name rabbitmqctl eval "ssl:clear_pem_cache()."
|
||||
|
Loading…
Reference in New Issue
Block a user