openstack/puppet-tripleo
Code Issues Proposed changes

rabbitmq: Remove default post-save command for certmonger

Browse Source 
The default command didn't work, so we need to fix that.

The script additionally copies the certificates in the right place
and instead of restarting RabbitMQ, it triggers a pem cache reload.

Related-Bug: #1811401
Needed-By: I3e564f9a5abdbf11d0580c4ff801092f32bcc678
Change-Id: Id06633a1adaafe1fef1d3d7f6b2af3ef5ffc9d4a
This commit is contained in:
Grzegorz Grasza 2019-01-25 14:54:00 +01:00
parent f1f4a6ccb8
commit 801391a13e
2 changed files with 25 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
files/certmonger-rabbitmq-refresh.sh Normal file
View File

@ -0,0 +1,17 @@
#!/bin/bash
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli docker)
container_name=$($container_cli ps --format="{{.Names}}" | grep rabbitmq)
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::rabbitmq::service_certificate)"
# Copy the new cert from the mount-point to the real path
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
# Set appropriate permissions
$container_cli exec "$container_name" chown rabbitmq:rabbitmq "$service_pem"
# Trigger a pem cache clear in RabbitMQ to read the new certificates
$container_cli exec $container_name rabbitmqctl eval "ssl:clear_pem_cache()."

11
manifests/certmonger/rabbitmq.pp
View File

@ -33,7 +33,6 @@
# #
# [*postsave_cmd*] # [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate. # (Optional) Specifies the command to execute after requesting a certificate.
# If nothing is given, it will default to: "systemctl restart ${service name}"
# Defaults to undef. # Defaults to undef.
# #
# [*principal*] # [*principal*]
@ -51,7 +50,13 @@ class tripleo::certmonger::rabbitmq (
include ::certmonger include ::certmonger
include ::rabbitmq::params include ::rabbitmq::params
$postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::rabbitmq::params::service_name}") ensure_resource('file', '/usr/bin/certmonger-rabbitmq-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-rabbitmq-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { 'rabbitmq' : certmonger_certificate { 'rabbitmq' :
ensure => 'present', ensure => 'present',
certfile => $service_certificate, certfile => $service_certificate,
@ -59,7 +64,7 @@ class tripleo::certmonger::rabbitmq (
hostname => $hostname, hostname => $hostname,
dnsname => $hostname, dnsname => $hostname,
principal => $principal, principal => $principal,
postsave_cmd => $postsave_cmd_real, postsave_cmd => $postsave_cmd,
ca => $certmonger_ca, ca => $certmonger_ca,
wait => true, wait => true,
require => Class['::certmonger'], require => Class['::certmonger'],