Reload HAProxy when certificate is renewed

This is meant to fix the issue of the certificate renewal not
automatically restarting/reloading the haproxy service.

It's all done by a script that's installed by puppet.

Preferably this patch and the one pointed by this should merge at the
same time.

Co-Authored-By: Grzegorz Grasza <xek@redhat.com>
Needed-By: Id409899bf04e7f9f2653e6c48cfebd0a92ca2d08
Change-Id: I5d91f8d9b5cd4f86ae0511a69e58858c5dccd35d
(cherry picked from commit bd9846062c)
This commit is contained in:
Juan Antonio Osorio Robles 2018-12-06 18:46:31 -05:00 committed by Grzegorz Grasza
parent a336146c0b
commit e2aba0f5a7
3 changed files with 75 additions and 23 deletions

View File

@ -0,0 +1,51 @@
#!/bin/bash
# This script is meant to reload HAProxy when certmonger triggers a certificate
# renewal. It'll concatenate the needed certificates for the PEM file that
# HAProxy reads.
die() { echo "$*" 1>&2 ; exit 1; }
[[ $# -eq 2 ]] || die "Invalid number of arguments"
[[ $1 == @(reload|restart) ]] || die "First argument must be one of 'reload' or 'restart'."
ACTION=$1
NETWORK=$2
certmonger_ca=$(hiera -c /etc/puppet/hiera.yaml certmonger_ca)
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli docker)
service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir)/overcloud-haproxy-$NETWORK.crt"
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::key_dir)/overcloud-haproxy-$NETWORK.key"
ca_path=""
if [ "$certmonger_ca" == "local" ]; then
ca_path="/etc/pki/ca-trust/source/anchors/cm-local-ca.pem"
elif [ "$certmonger_ca" == "IPA" ]; then
ca_path="/etc/ipa/ca.crt"
fi
if [ "$NETWORK" != "external" ]; then
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir)/overcloud-haproxy-$NETWORK.pem"
else
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::haproxy::service_certificate)"
fi
cat "$service_certificate" "$ca_path" "$service_key" > "$service_pem"
haproxy_container_name=$($container_cli ps --format="{{.Names}}" | grep haproxy)
if [ "$ACTION" == "reload" ]; then
# Copy the new cert from the mount-point to the real path
$container_cli exec "$haproxy_container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
# Set appropriate permissions
$container_cli exec "$haproxy_container_name" chown haproxy:haproxy "$service_pem"
# Trigger a reload for HAProxy to read the new certificates
pkill -f -HUP haproxy-systemd-wrapper
elif [ "$ACTION" == "restart" ]; then
# Copying the certificate and permissions will be handled by kolla's start
# script.
$container_cli restart "$haproxy_container_name"
fi

View File

@ -91,20 +91,12 @@ define tripleo::certmonger::haproxy (
$dnsnames_real = $hostname
}
if $certmonger_ca == 'local' {
$ca_fragment = $ca_pem
} else {
$ca_fragment = ''
}
$concat_pem = "cat ${service_certificate} ${ca_fragment} ${service_key} > ${service_pem}"
if $postsave_cmd {
$postsave_cmd_real = "${concat_pem} && ${postsave_cmd}"
} else {
$reload_haproxy_cmd = 'if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi'
$postsave_cmd_real = "${concat_pem} && ${reload_haproxy_cmd}"
}
ensure_resource('file', '/usr/bin/certmonger-haproxy-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-haproxy-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { "${title}-cert":
ensure => 'present',
ca => $certmonger_ca,
@ -112,7 +104,7 @@ define tripleo::certmonger::haproxy (
dnsname => $dnsnames_real,
certfile => $service_certificate,
keyfile => $service_key,
postsave_cmd => $postsave_cmd_real,
postsave_cmd => $postsave_cmd,
principal => $principal_real,
eku => ['id-kp-clientAuth', 'id-kp-serverAuth'],
wait => true,
@ -145,6 +137,13 @@ define tripleo::certmonger::haproxy (
tag => 'haproxy-cert',
require => Class['tripleo::certmonger::ca::local'],
}
} elsif $certmonger_ca == 'IPA' {
concat::fragment { "${title}-ca-fragment":
target => $service_pem,
source => '/etc/ipa/ca.crt',
order => '10',
tag => 'haproxy-cert',
}
}
concat::fragment { "${title}-key-fragment":

View File

@ -48,11 +48,6 @@
# it will create.
# Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}).
#
# [*haproxy_postsave_cmd*]
# (Optional) If set, it overrides the default way to restart haproxy when the
# certificate is renewed.
# Defaults to undef
#
# [*libvirt_certificates_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
@ -123,11 +118,17 @@
# certificate is renewed.
# Defaults to undef
#
# === Deprecated
#
# [*haproxy_postsave_cmd*]
# (Optional) If set, it overrides the default way to restart haproxy when the
# certificate is renewed.
# Defaults to undef
#
class tripleo::profile::base::certmonger_user (
$apache_certificates_specs = hiera('apache_certificates_specs', {}),
$apache_postsave_cmd = undef,
$haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
$haproxy_postsave_cmd = undef,
$libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
$libvirt_postsave_cmd = undef,
$libvirt_vnc_certificates_specs = hiera('libvirt_vnc_certificates_specs', {}),
@ -142,6 +143,8 @@ class tripleo::profile::base::certmonger_user (
$neutron_certificate_specs = hiera('tripleo::profile::base::neutron::certificate_specs', {}),
$novnc_proxy_certificates_specs = hiera('novnc_proxy_certificates_specs',{}),
$novnc_proxy_postsave_cmd = undef,
# Deprecated
$haproxy_postsave_cmd = undef,
) {
unless empty($haproxy_certificates_specs) {
$reload_haproxy = ['systemctl reload haproxy']
@ -179,8 +182,7 @@ class tripleo::profile::base::certmonger_user (
}
unless empty($haproxy_certificates_specs) {
include ::tripleo::certmonger::haproxy_dirs
ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs,
{'postsave_cmd' => $haproxy_postsave_cmd})
ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
# The haproxy fronends (or listen resources) depend on the certificate
# existing and need to be refreshed if it changed.
Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>