Add certmonger-etcd-refresh.sh script
Add a script that refreshes the etcd cert and key files in all containers that reference them. This includes etcd itself, plus any cinder services that access etcd. Change-Id: I0ea26253355a57b3721bfa6ceef3972eaabc5b1d
This commit is contained in:
parent
7a6261a1ea
commit
95db8b4947
25
files/certmonger-etcd-refresh.sh
Normal file
25
files/certmonger-etcd-refresh.sh
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
||||||
|
|
||||||
|
# cinder uses etcd, so its containers also need to be refreshed
|
||||||
|
container_names=$($container_cli ps --format="{{.Names}}" | grep -E 'cinder|etcd')
|
||||||
|
|
||||||
|
service_crt="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::etcd::certificate_specs.service_certificate)"
|
||||||
|
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::etcd::certificate_specs.service_key)"
|
||||||
|
|
||||||
|
kolla_dir="/var/lib/kolla/config_files/src-tls"
|
||||||
|
|
||||||
|
# For each container, check whether the cert and key files need to be updated.
|
||||||
|
# The check is necessary because the original THT design directly bind mounted
|
||||||
|
# the files to their final location, and did not copy them in via $kolla_dir.
|
||||||
|
# Regardless of whether the container is directly using the files, or a copy,
|
||||||
|
# there's no need to trigger a reload because the cert is not cached.
|
||||||
|
|
||||||
|
for container_name in ${container_names[*]}; do
|
||||||
|
$container_cli exec -u root "$container_name" bash -c "
|
||||||
|
[[ -f ${kolla_dir}/${service_crt} ]] && cp ${kolla_dir}/${service_crt} $service_crt;
|
||||||
|
[[ -f ${kolla_dir}/${service_key} ]] && cp ${kolla_dir}/${service_key} $service_key;
|
||||||
|
true
|
||||||
|
"
|
||||||
|
done
|
@ -55,8 +55,12 @@ class tripleo::certmonger::etcd (
|
|||||||
) {
|
) {
|
||||||
include certmonger
|
include certmonger
|
||||||
|
|
||||||
# Note: A $postsave_cmd should not be needed because etcd doesn't cache
|
ensure_resource('file', '/usr/bin/certmonger-etcd-refresh.sh', {
|
||||||
# certificates. See https://github.com/etcd-io/etcd/pull/7784.
|
source => 'puppet:///modules/tripleo/certmonger-etcd-refresh.sh',
|
||||||
|
mode => '0700',
|
||||||
|
seltype => 'bin_t',
|
||||||
|
notify => Service['certmonger']
|
||||||
|
})
|
||||||
|
|
||||||
certmonger_certificate { 'etcd' :
|
certmonger_certificate { 'etcd' :
|
||||||
ensure => 'present',
|
ensure => 'present',
|
||||||
|
Loading…
Reference in New Issue
Block a user