Restart haproxy after configuring SSL certs

If a certificate expires, the user will need to update it.  However,
because we only restart services at the end of a stack-update the
new certificate doesn't take effect until after puppet has run.
This is a problem because puppet makes OpenStack calls, which will
fail if the certificate is expired.  In that case we never get to
the service restart so the stack is wedged until the user manually
restart haproxy.

This patch addresses the problem by reloading haproxy before puppet
runs.  This is done in a pre-puppet script for pacemaker after pacemaker
is maintenance mode because we need to make sure it happens after all of
the certs have been installed on the controllers, but before puppet
runs.

For non-pacemaker, haproxy is simply reloaded.

Change-Id: Id5ed05b3a20d06af8ae7a3d6f859b03399b0d77d
This commit is contained in:
Ben Nemec 2016-03-31 16:42:11 -05:00 committed by James Slagle
parent 98f19c17a6
commit 4f373ea30f
2 changed files with 21 additions and 7 deletions

View File

@ -0,0 +1,19 @@
#!/bin/bash
set -x
# On initial deployment, the pacemaker service is disabled and is-active exits
# 3 in that case, so allow this to fail gracefully.
pacemaker_status=$(systemctl is-active pacemaker || :)
if [ "$pacemaker_status" = "active" ]; then
pcs property set maintenance-mode=true
fi
# We need to reload haproxy in case the certificate changed because
# puppet doesn't know the contents of the cert file. We shouldn't
# reload it if it wasn't already active (such as if using external
# loadbalancer or on initial deployment).
haproxy_status=$(systemctl is-active haproxy || :)
if [ "$haproxy_status" = "active" ]; then
systemctl reload haproxy
fi

View File

@ -14,13 +14,8 @@ resources:
type: OS::Heat::SoftwareConfig
properties:
group: script
config: |
#!/bin/bash
pacemaker_status=$(systemctl is-active pacemaker)
if [ "$pacemaker_status" = "active" ]; then
pcs property set maintenance-mode=true
fi
config:
get_file: pacemaker_maintenance_mode.sh
ControllerPrePuppetMaintenanceModeDeployment:
type: OS::Heat::SoftwareDeployments