49728d2408
Do not inject public certificates in pacemaker bundles by means of "podman cp", as this pauses the container for a short amount of time and can make pacemaker operation fail during that time window and impact cluster for no reason. Keep "podman cp" for non-HA containers, as the freeze is short and doesn't seem to impact podman monitoring anyway. The new certificate injection only works for podman 1.9+, lower version won't overwrite the existing certificate. Adapted from Id7308f028f33716be5e3df6699c3f2c12e33e344, as the same behaviour is implemented in puppet-tripleo before wallaby. Change-Id: I14be16052677bf3426a88ec4b5299f9502007472 Related-Bug: #1917868
63 lines
2.7 KiB
Bash
63 lines
2.7 KiB
Bash
#!/bin/bash
|
|
|
|
# This script is meant to reload HAProxy when certmonger triggers a certificate
|
|
# renewal. It'll concatenate the needed certificates for the PEM file that
|
|
# HAProxy reads.
|
|
|
|
die() { echo "$*" 1>&2 ; exit 1; }
|
|
|
|
[[ $# -eq 2 ]] || die "Invalid number of arguments"
|
|
[[ $1 == @(reload|restart) ]] || die "First argument must be one of 'reload' or 'restart'."
|
|
|
|
|
|
ACTION=$1
|
|
NETWORK=$2
|
|
|
|
certmonger_ca=$(hiera -c /etc/puppet/hiera.yaml certmonger_ca)
|
|
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli docker)
|
|
service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir)/overcloud-haproxy-$NETWORK.crt"
|
|
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::key_dir)/overcloud-haproxy-$NETWORK.key"
|
|
ca_path=""
|
|
|
|
if [ "$certmonger_ca" == "local" ]; then
|
|
ca_path="/etc/pki/ca-trust/source/anchors/cm-local-ca.pem"
|
|
elif [ "$certmonger_ca" == "IPA" ]; then
|
|
ca_path="/etc/ipa/ca.crt"
|
|
fi
|
|
|
|
if [ "$NETWORK" != "external" ]; then
|
|
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir)/overcloud-haproxy-$NETWORK.pem"
|
|
else
|
|
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::haproxy::service_certificate)"
|
|
fi
|
|
|
|
cat "$service_certificate" "$ca_path" "$service_key" > "$service_pem"
|
|
|
|
haproxy_container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
|
|
|
|
if [ "$ACTION" == "reload" ]; then
|
|
# Inject the new certificate into the running container
|
|
if echo "$haproxy_container_name" | grep -q "^haproxy-bundle"; then
|
|
# lp#1917868: Do not use podman cp with HA containers as they get
|
|
# frozen temporarily and that can make pacemaker operation fail.
|
|
tar -c "$service_pem" | $container_cli exec -i "$haproxy_container_name" tar -C / -xv
|
|
# no need to update the mount point, because pacemaker
|
|
# recreates the container when it's restarted
|
|
else
|
|
# Refresh the pem at the mount-point
|
|
$container_cli cp $service_pem "$haproxy_container_name:/var/lib/kolla/config_files/src-tls${service_pem}"
|
|
# Copy the new pem from the mount-point to the real path
|
|
$container_cli exec "$haproxy_container_name" cp "/var/lib/kolla/config_files/src-tls${service_pem}" "$service_pem"
|
|
fi
|
|
|
|
# Set appropriate permissions
|
|
$container_cli exec "$haproxy_container_name" chown haproxy:haproxy "$service_pem"
|
|
|
|
# Trigger a reload for HAProxy to read the new certificates
|
|
$container_cli kill --signal HUP "$haproxy_container_name"
|
|
elif [ "$ACTION" == "restart" ]; then
|
|
# Copying the certificate and permissions will be handled by kolla's start
|
|
# script.
|
|
$container_cli restart "$haproxy_container_name"
|
|
fi
|