Merge "neutron dhcpd: Add script for certmonger postsave_cmd"

files/certmonger-neutron-dhcpd-refresh.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+
+container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli docker)
+
+container_name=$($container_cli ps --format="{{.Names}}" | grep neutron_dhcp)
+
+# The certificate is also installed on the computes, but neutron_dhcp is only
+# present on the controllers, so we exit if the container could not be found.
+[[ -z $container_name ]] && exit 0
+
+service_crt="$(hiera -c /etc/puppet/hiera.yaml neutron::agents::dhcp::ovsdb_agent_ssl_cert_file)"
+service_key="$(hiera -c /etc/puppet/hiera.yaml neutron::agents::dhcp::ovsdb_agent_ssl_key_file)"
+
+# Copy the new cert from the mount-point to the real path
+$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
+
+# Copy the new key from the mount-point to the real path
+$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
+
+# No need to trigger a reload for neutron dhcpd since the cert is not cached

manifests/certmonger/neutron.pp

@@ -33,7 +33,6 @@
 #
 # [*postsave_cmd*]
 #   (Optional) Specifies the command to execute after requesting a certificate.
-#   Defaults to 'if systemctl -q is-active opendaylight; then systemctl restart opendaylight; else true; fi'
 #
 # [*principal*]
 #   (Optional) The haproxy service principal that is set for neutron in kerberos.
@@ -49,6 +48,13 @@ class tripleo::certmonger::neutron (
 ) {
   include ::certmonger
 
+  ensure_resource('file', '/usr/bin/certmonger-neutron-dhcpd-refresh.sh', {
+    source  => 'puppet:///modules/tripleo/certmonger-neutron-dhcpd-refresh.sh',
+    mode    => '0700',
+    seltype => 'bin_t',
+    notify  => Service['certmonger']
+  })
+
   certmonger_certificate { 'neutron' :
     ensure       => 'present',
     certfile     => $service_certificate,