Reload HAProxy when certificate is renewed

This is meant to fix the issue of the certificate renewal not automatically restarting/reloading the haproxy service. It's all done by a script that's installed by puppet. Preferably this patch and the one pointed by this should merge at the same time. Co-Authored-By: Grzegorz Grasza <xek@redhat.com> Needed-By: Id409899bf04e7f9f2653e6c48cfebd0a92ca2d08 Change-Id: I5d91f8d9b5cd4f86ae0511a69e58858c5dccd35d
2018-12-06 18:46:31 -05:00 · 2018-12-06 18:46:31 -05:00 · bd9846062c
commit bd9846062c
parent a5d128b6cd
3 changed files with 75 additions and 23 deletions
--- a/files/certmonger-haproxy-refresh.sh
+++ b/files/certmonger-haproxy-refresh.sh
@ -0,0 +1,51 @@
+#!/bin/bash
+
+# This script is meant to reload HAProxy when certmonger triggers a certificate
+# renewal. It'll concatenate the needed certificates for the PEM file that
+# HAProxy reads.
+
+die() { echo "$*" 1>&2 ; exit 1; }
+
+[[ $# -eq 2 ]] || die "Invalid number of arguments"
+[[ $1 == @(reload|restart) ]] || die "First argument must be one of 'reload' or 'restart'."
+
+
+ACTION=$1
+NETWORK=$2
+
+certmonger_ca=$(hiera -c /etc/puppet/hiera.yaml certmonger_ca)
+container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli docker)
+service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir)/overcloud-haproxy-$NETWORK.crt"
+service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::key_dir)/overcloud-haproxy-$NETWORK.key"
+ca_path=""
+
+if [ "$certmonger_ca" == "local" ]; then
+    ca_path="/etc/pki/ca-trust/source/anchors/cm-local-ca.pem"
+elif [ "$certmonger_ca" == "IPA" ]; then
+    ca_path="/etc/ipa/ca.crt"
+fi
+
+if [ "$NETWORK" != "external" ]; then
+    service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir)/overcloud-haproxy-$NETWORK.pem"
+else
+    service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::haproxy::service_certificate)"
+fi
+
+cat "$service_certificate" "$ca_path" "$service_key" > "$service_pem"
+
+haproxy_container_name=$($container_cli ps --format="{{.Names}}" | grep haproxy)
+
+if [ "$ACTION" == "reload" ]; then
+    # Copy the new cert from the mount-point to the real path
+    $container_cli exec "$haproxy_container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
+
+    # Set appropriate permissions
+    $container_cli exec "$haproxy_container_name" chown haproxy:haproxy "$service_pem"
+
+    # Trigger a reload for HAProxy to read the new certificates
+    pkill -f -HUP haproxy-systemd-wrapper
+elif [ "$ACTION" == "restart" ]; then
+    # Copying the certificate and permissions will be handled by kolla's start
+    # script.
+    $container_cli restart "$haproxy_container_name"
+fi
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@ -88,20 +88,12 @@ define tripleo::certmonger::haproxy (
      $dnsnames_real = $hostname
    }

-    if $certmonger_ca == 'local' {
-      $ca_fragment = $ca_pem
-    } else {
-      $ca_fragment = ''
-    }
-
-    $concat_pem = "cat ${service_certificate} ${ca_fragment} ${service_key} > ${service_pem}"
-    if $postsave_cmd {
-      $postsave_cmd_real = "${concat_pem} && ${postsave_cmd}"
-    } else {
-      $reload_haproxy_cmd = 'if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi'
-      $postsave_cmd_real = "${concat_pem} && ${reload_haproxy_cmd}"
-    }
-
+    ensure_resource('file', '/usr/bin/certmonger-haproxy-refresh.sh', {
+      source  => 'puppet:///modules/tripleo/certmonger-haproxy-refresh.sh',
+      mode    => '0700',
+      seltype => 'bin_t',
+      notify  => Service['certmonger']
+    })
    certmonger_certificate { "${title}-cert":
      ensure       => 'present',
      ca           => $certmonger_ca,
@ -109,7 +101,7 @@ define tripleo::certmonger::haproxy (
      dnsname      => $dnsnames_real,
      certfile     => $service_certificate,
      keyfile      => $service_key,
-      postsave_cmd => $postsave_cmd_real,
+      postsave_cmd => $postsave_cmd,
      principal    => $principal_real,
      eku          => ['id-kp-clientAuth', 'id-kp-serverAuth'],
      wait         => true,
@ -142,6 +134,13 @@ define tripleo::certmonger::haproxy (
        tag     => 'haproxy-cert',
        require => Class['tripleo::certmonger::ca::local'],
      }
+    } elsif $certmonger_ca == 'IPA' {
+      concat::fragment { "${title}-ca-fragment":
+        target => $service_pem,
+        source => '/etc/ipa/ca.crt',
+        order  => '10',
+        tag    => 'haproxy-cert',
+      }
    }

    concat::fragment { "${title}-key-fragment":
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@ -52,11 +52,6 @@
 #   it will create.
 #   Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}).
 #
-# [*haproxy_postsave_cmd*]
-#   (Optional) If set, it overrides the default way to restart haproxy when the
-#   certificate is renewed.
-#   Defaults to undef
-#
 # [*libvirt_certificates_specs*]
 #   (Optional) The specifications to give to certmonger for the certificate(s)
 #   it will create.
@ -132,12 +127,18 @@
 #   certificate is renewed.
 #   Defaults to undef
 #
+# === Deprecated
+#
+# [*haproxy_postsave_cmd*]
+#   (Optional) If set, it overrides the default way to restart haproxy when the
+#   certificate is renewed.
+#   Defaults to undef
+#
 class tripleo::profile::base::certmonger_user (
  $certmonger_ca              = hiera('certmonger_ca', 'local'),
  $apache_certificates_specs  = hiera('apache_certificates_specs', {}),
  $apache_postsave_cmd        = undef,
  $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
-  $haproxy_postsave_cmd       = undef,
  $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
  $libvirt_postsave_cmd       = undef,
  $libvirt_vnc_certificates_specs = hiera('libvirt_vnc_certificates_specs', {}),
@ -153,6 +154,8 @@ class tripleo::profile::base::certmonger_user (
  $neutron_certificate_specs  = hiera('tripleo::profile::base::neutron::certificate_specs', {}),
  $novnc_proxy_certificates_specs = hiera('novnc_proxy_certificates_specs',{}),
  $novnc_proxy_postsave_cmd   = undef,
+  # Deprecated
+  $haproxy_postsave_cmd       = undef,
 ) {
  include ::certmonger

@ -204,8 +207,7 @@ class tripleo::profile::base::certmonger_user (
  }
  unless empty($haproxy_certificates_specs) {
    include ::tripleo::certmonger::haproxy_dirs
-    ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs,
-                      {'postsave_cmd' => $haproxy_postsave_cmd})
+    ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
    # The haproxy fronends (or listen resources) depend on the certificate
    # existing and need to be refreshed if it changed.
    Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>