Do not inject public certificates in pacemaker bundles by means
of "podman cp", as this pauses the container for a short amount
of time and can make pacemaker operation fail during that time
window and impact cluster for no reason.
Keep "podman cp" for non-HA containers, as the freeze is short
and doesn't seem to impact podman monitoring anyway.
The new certificate injection only works for podman 1.9+, lower
version won't overwrite the existing certificate.
Adapted from Id7308f028f33716be5e3df6699c3f2c12e33e344, as the
same behaviour is implemented in puppet-tripleo before wallaby.
(cherry picked from commit f6c88d0146)
HAProxy and RabbitMQ can reload their TLS certificate on change,
without being restarted. To do that, a post-save script scan the
list of running container, copy the new certs and trigger a reload
action in the service.
Make sure that those post-save script only get the right container
out of the "$container_cli ps" command, i.e. that the scripts Work
both with HA and non-HA deployments.
(cherry picked from commit 3e942b7ff5)
While doing research for this bugzilla I found that since the
actual certificate PEM file is being bind mounted the mount is acting
as a hard link to the inode of the PEM rather than just a pointer to
it's location in the directory. When the new file is copied over the
inode is updated but the container still maintains a link to the stale
inode. This patch copies the contents of the certificate into the
container so that the HUP of HAProxy will reload the certificate.
(cherry picked from commit c1e09672a5)
We were using pkill, which would fail due to SELinux. Using the
container cli would be a better option. It's also more portable.
This is meant to fix the issue of the certificate renewal not
automatically restarting/reloading the haproxy service.
It's all done by a script that's installed by puppet.
Preferably this patch and the one pointed by this should merge at the
Co-Authored-By: Grzegorz Grasza <firstname.lastname@example.org>