Add a script that refreshes the etcd cert and key files in all
containers that reference them. This includes etcd itself, plus any
cinder services that access etcd.
Change-Id: I0ea26253355a57b3721bfa6ceef3972eaabc5b1d
(cherry picked from commit 95db8b4947f0a80a0109131eda8f66ed4acb90d6)
HAProxy and RabbitMQ can reload their TLS certificate on change,
without being restarted. To do that, a post-save script scan the
list of running container, copy the new certs and trigger a reload
action in the service.
Make sure that those post-save script only get the right container
out of the "$container_cli ps" command, i.e. that the scripts Work
both with HA and non-HA deployments.
Change-Id: Iaba8da504f9c7a54656cf1abe259dff779ea7125
Closes-Bug: #1885284
(cherry picked from commit 3e942b7ff5cc91bfee7cc19d31b502548dcf3f57)
While doing research for this bugzilla[1] I found that since the
actual certificate PEM file is being bind mounted the mount is acting
as a hard link to the inode of the PEM rather than just a pointer to
it's location in the directory. When the new file is copied over the
inode is updated but the container still maintains a link to the stale
inode. This patch copies the contents of the certificate into the
container so that the HUP of HAProxy will reload the certificate.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1765839
Change-Id: Idf106c9ffa23ed00c497e1e5014e1b5718254320
Closes-Bug: 1871663
(cherry picked from commit c1e09672a52fea82d853d17145901109291ac1f1)
This change just fixes the restart condition
for the radosgw file used when the certificate
is renewed.
Change-Id: Id3f76cd03c993d013090c7c764d6963a64a1c74f
This patch adds the ceph_rgw class required by certmonger to
create the cert/key.
This patch also creates the service_pem file since the rgw
container private key, public certificate and any other CA or
intermediate certificates should be in one file, in PEM format.
Change-Id: I960f7c48866ef11e58e63d80217f7df660455fe1
This change exposes to the end-user the new ceph dashboard
frontend which is fully integrated with grafana service.
This review also adds all the info/classes to integrate the
service with tls-everywhere framework, providing the cert
request and generation that will be passed to ceph dashboard
via ceph-ansible.
Depends-On: https://review.opendev.org/#/c/704308
Change-Id: Id6d2e4b00355cd84baccc2b493f3205c2b32a44b
Since Stein (OSP-15), we're using podman by default. We therefore must
reflect this in certmonger refresh secripts.
Change-Id: I377511aa0be7efbf58cd2a70e8b9a774bb679f61
Following the pattern of the other openstack components,
we need the refresh script that trigger a restart of the
ceph grafana container when the certificate gets renewed.
This commit adds also the postsave_cmd in the ceph_grafana
puppet file to reflect the the change.
Change-Id: I91df82eec1715bd7a9d0b1ac44f72dd76f9e54cd
We were using pkill, which would fail due to SELinux. Using the
container cli would be a better option. It's also more portable.
Change-Id: I6bf92bc1e74797d9132ae595af8929e67d439f43
Closes-Bug: #1821149
The default command didn't work, so we need to fix that.
Related-Bug: #1811401
Needed-By: Idc0844c8726aa53bc4cbd55f902248f854d2464f
Change-Id: Ifacbee9e31d84be1008ab7545defac71cf65793f
The default command didn't work, so we need to fix that.
The script additionally copies the certificates in the right place
and instead of restarting stunnel, triggers a configuration reload.
Related-Bug: #1811401
Needed-By: I49811a6cab5416d965ce1da93a71728ad5b1d27c
Change-Id: I437d69fef45d1662e8908c5ca0f7063be6cb9b32
The default command didn't work, so we need to fix that.
The script additionally copies the certificates in the right place
and instead of restarting RabbitMQ, it triggers a pem cache reload.
Related-Bug: #1811401
Needed-By: I3e564f9a5abdbf11d0580c4ff801092f32bcc678
Change-Id: Id06633a1adaafe1fef1d3d7f6b2af3ef5ffc9d4a
This is meant to fix the issue of the certificate renewal not
automatically restarting/reloading the haproxy service.
It's all done by a script that's installed by puppet.
Preferably this patch and the one pointed by this should merge at the
same time.
Co-Authored-By: Grzegorz Grasza <xek@redhat.com>
Needed-By: Id409899bf04e7f9f2653e6c48cfebd0a92ca2d08
Change-Id: I5d91f8d9b5cd4f86ae0511a69e58858c5dccd35d
Configures ca/certs/key for nova-novnc vencrypt.
A dedicated IPA sub-CA can optionally be used to restrict access.
A custom certmonger helper is used to support this as certmonger currently
has limited support for IPA sub-CAs.
Depends-On: I24a9841ba04c95df27599b4d7ac2da8416e751e5
Change-Id: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8
Some services (such as Redis) can't use mod_proxy as a TLS proxy,
since they're not HTTP services. So stunnel is necessary for these.
Thus, we add manifests to configure it as such.
bp tls-via-certmonger
Change-Id: Ic4a2dac7b3831e4780105e3b05e9c5afcf15c79c