From 95db8b4947f0a80a0109131eda8f66ed4acb90d6 Mon Sep 17 00:00:00 2001
From: Alan Bishop <abishop@redhat.com>
Date: Wed, 29 Jul 2020 10:00:31 -0700
Subject: [PATCH] Add certmonger-etcd-refresh.sh script

Add a script that refreshes the etcd cert and key files in all
containers that reference them. This includes etcd itself, plus any
cinder services that access etcd.

Change-Id: I0ea26253355a57b3721bfa6ceef3972eaabc5b1d
---
 files/certmonger-etcd-refresh.sh | 25 +++++++++++++++++++++++++
 manifests/certmonger/etcd.pp     |  8 ++++++--
 2 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 files/certmonger-etcd-refresh.sh

diff --git a/files/certmonger-etcd-refresh.sh b/files/certmonger-etcd-refresh.sh
new file mode 100644
index 000000000..83bd06688
--- /dev/null
+++ b/files/certmonger-etcd-refresh.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
+
+# cinder uses etcd, so its containers also need to be refreshed
+container_names=$($container_cli ps --format="{{.Names}}" | grep -E 'cinder|etcd')
+
+service_crt="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::etcd::certificate_specs.service_certificate)"
+service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::etcd::certificate_specs.service_key)"
+
+kolla_dir="/var/lib/kolla/config_files/src-tls"
+
+# For each container, check whether the cert and key files need to be updated.
+# The check is necessary because the original THT design directly bind mounted
+# the files to their final location, and did not copy them in via $kolla_dir.
+# Regardless of whether the container is directly using the files, or a copy,
+# there's no need to trigger a reload because the cert is not cached.
+
+for container_name in ${container_names[*]}; do
+    $container_cli exec -u root "$container_name" bash -c "
+[[ -f ${kolla_dir}/${service_crt} ]] && cp ${kolla_dir}/${service_crt} $service_crt;
+[[ -f ${kolla_dir}/${service_key} ]] && cp ${kolla_dir}/${service_key} $service_key;
+true
+"
+done
diff --git a/manifests/certmonger/etcd.pp b/manifests/certmonger/etcd.pp
index 6b0254cd6..0758964a1 100644
--- a/manifests/certmonger/etcd.pp
+++ b/manifests/certmonger/etcd.pp
@@ -55,8 +55,12 @@ class tripleo::certmonger::etcd (
 ) {
   include certmonger
 
-  # Note: A $postsave_cmd should not be needed because etcd doesn't cache
-  # certificates. See https://github.com/etcd-io/etcd/pull/7784.
+  ensure_resource('file', '/usr/bin/certmonger-etcd-refresh.sh', {
+    source  => 'puppet:///modules/tripleo/certmonger-etcd-refresh.sh',
+    mode    => '0700',
+    seltype => 'bin_t',
+    notify  => Service['certmonger']
+  })
 
   certmonger_certificate { 'etcd' :
     ensure       => 'present',