We were using pkill, which would fail due to SELinux. Using the
container cli would be a better option. It's also more portable.
Change-Id: I6bf92bc1e74797d9132ae595af8929e67d439f43
Closes-Bug: #1821149
The default command didn't work, so we need to fix that.
Related-Bug: #1811401
Needed-By: Idc0844c8726aa53bc4cbd55f902248f854d2464f
Change-Id: Ifacbee9e31d84be1008ab7545defac71cf65793f
The default command didn't work, so we need to fix that.
The script additionally copies the certificates in the right place
and instead of restarting stunnel, triggers a configuration reload.
Related-Bug: #1811401
Needed-By: I49811a6cab5416d965ce1da93a71728ad5b1d27c
Change-Id: I437d69fef45d1662e8908c5ca0f7063be6cb9b32
The default command didn't work, so we need to fix that.
The script additionally copies the certificates in the right place
and instead of restarting RabbitMQ, it triggers a pem cache reload.
Related-Bug: #1811401
Needed-By: I3e564f9a5abdbf11d0580c4ff801092f32bcc678
Change-Id: Id06633a1adaafe1fef1d3d7f6b2af3ef5ffc9d4a
This is meant to fix the issue of the certificate renewal not
automatically restarting/reloading the haproxy service.
It's all done by a script that's installed by puppet.
Preferably this patch and the one pointed by this should merge at the
same time.
Co-Authored-By: Grzegorz Grasza <xek@redhat.com>
Needed-By: Id409899bf04e7f9f2653e6c48cfebd0a92ca2d08
Change-Id: I5d91f8d9b5cd4f86ae0511a69e58858c5dccd35d
Configures ca/certs/key for nova-novnc vencrypt.
A dedicated IPA sub-CA can optionally be used to restrict access.
A custom certmonger helper is used to support this as certmonger currently
has limited support for IPA sub-CAs.
Depends-On: I24a9841ba04c95df27599b4d7ac2da8416e751e5
Change-Id: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8
Some services (such as Redis) can't use mod_proxy as a TLS proxy,
since they're not HTTP services. So stunnel is necessary for these.
Thus, we add manifests to configure it as such.
bp tls-via-certmonger
Change-Id: Ic4a2dac7b3831e4780105e3b05e9c5afcf15c79c