From 93c6bffb3b06c5978e5f3611e058b4afff08bdb9 Mon Sep 17 00:00:00 2001
From: "Dave Wilde (d34dh0r53)" <cdwilde@gmail.com>
Date: Fri, 24 Apr 2020 10:27:06 -0500
Subject: [PATCH] Ensure that the HAProxy certificate is updated

While doing research for this bugzilla[1] I found that since the
actual certificate PEM file is being bind mounted the mount is acting
as a hard link to the inode of the PEM rather than just a pointer to
it's location in the directory.  When the new file is copied over the
inode is updated but the container still maintains a link to the stale
inode.  This patch copies the contents of the certificate into the
container so that the HUP of HAProxy will reload the certificate.

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1765839

Change-Id: Idf106c9ffa23ed00c497e1e5014e1b5718254320
Closes-Bug: 1871663
---
 files/certmonger-haproxy-refresh.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/files/certmonger-haproxy-refresh.sh b/files/certmonger-haproxy-refresh.sh
index 4a8c82d18..19bf58e99 100644
--- a/files/certmonger-haproxy-refresh.sh
+++ b/files/certmonger-haproxy-refresh.sh
@@ -36,6 +36,9 @@ cat "$service_certificate" "$ca_path" "$service_key" > "$service_pem"
 haproxy_container_name=$($container_cli ps --format="{{.Names}}" | grep haproxy)
 
 if [ "$ACTION" == "reload" ]; then
+    # Refresh the cert at the mount-point
+    $container_cli cp $service_pem "$haproxy_container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
+
     # Copy the new cert from the mount-point to the real path
     $container_cli exec "$haproxy_container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"