HA: inject public certificates without blocking container

Do not inject public certificates in pacemaker bundles by means of "podman cp", as this pauses the container for a short amount of time and can make pacemaker operation fail during that time window and impact cluster for no reason. Keep "podman cp" for non-HA containers, as the freeze is short and doesn't seem to impact podman monitoring anyway. The new certificate injection only works for podman 1.9+, lower version won't overwrite the existing certificate. (cherry-picked from 93e53b7429) (squashed with Ic6e4264c5ad46bd2589cc907c365af2d42fde63d) (removed a part that should stay in puppet-tripleo before wallaby) Closes-Bug: #1917868 Change-Id: Id7308f028f33716be5e3df6699c3f2c12e33e344
2021-03-22 18:04:08 +01:00 · 2021-03-22 18:04:08 +01:00 · 63001263ad
parent 50ee8c1cba
commit 63001263ad
1 changed files with 5 additions and 1 deletions
--- a/deployment/haproxy/haproxy-public-tls-inject.yaml
+++ b/deployment/haproxy/haproxy-public-tls-inject.yaml
@ -178,7 +178,11 @@ outputs:
                - name: copy certificate, chgrp, restart haproxy
                  shell: |
                    set -e
-                    {{ container_cli }} cp {{ cert_path }} {{ item }}:{{ cert_path }}
+                    if {{ container_cli }} ps -f "id={{ item }}" --format "{{ '{{' }}.Names{{ '}}' }}" | grep -q "^haproxy-bundle"; then
+                      tar -c {{ cert_path }} | {{container_cli}} exec -i {{ item }} tar -C / -xv
+                    else
+                      {{ container_cli }} cp {{ cert_path }} {{ item }}:{{ cert_path }}
+                    fi
                    {{ container_cli }} exec --user root {{ item }} chgrp haproxy {{ cert_path }}
                    {{ container_cli }} kill --signal=HUP {{ item }}
                  with_items: "{{ container_id.stdout.split('\n') }}"