Fix double cert mount in haproxy bundle when using tls everywhere

When deploying with tls-everywhere the haproxy_init_bundle container will bind mount /etc/ipa/ca.crt twice and starting with podman 1.{3,4}.x this will break: "stderr: Error: /etc/ipa/ca.crt: duplicate mount destination" The TLS bind mounts are needed in haproxy_init_bundle (which is only in charge of creating the pcmk resource) because puppet-haproxy uses a validate command to check the config which will fail if we simply remove those bind mounts. Instead of skipping this verification with some parameter/tag, we try and avoid the duplicate cert by removing the ca.crt bind mount from deployed_cert_mounts. The duplication comes from: 1) https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/containers-common.yaml#L122-L127 2) https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/haproxy/haproxy-pacemaker-puppet.yaml#L263 Since changing it into 1) has large implication, we just avoid redefining it in 2). Tested with a full tls-everywhere deploy with the applied patch and the error is not seen any longer. Change-Id: I6493fd090c808da01d19cc12d1b8371c67708904 Related-Bug: #1833347 Closes-Bug: #1846495
2019-10-03 15:04:47 +02:00 · 2019-10-03 15:04:47 +02:00 · 668cc684fc
parent 35eb3d8b98
commit 668cc684fc
1 changed files with 17 additions and 1 deletions
--- a/deployment/haproxy/haproxy-pacemaker-puppet.yaml
+++ b/deployment/haproxy/haproxy-pacemaker-puppet.yaml
@ -157,6 +157,20 @@ outputs:
                  - get_param: HAProxyInternalTLSKeysDirectory
                  - get_param: HAProxyInternalTLSCertsDirectory
                - null
+            # The init bundle users the container_puppet_apply_volumes list. That already contains InternalTLSCAFile
+            # and newer podmans refuse to start with duplicated mountpoints. That is why we cannot use tls_mapping
+            # but need a new mapping
+            tripleo::profile::pacemaker::haproxy_bundle::tls_mapping_init_bundle: &tls_mapping_init_bundle
+              list_concat:
+              - if:
+                - public_tls_enabled
+                - - get_param: DeployedSSLCertificatePath
+                - null
+              - if:
+                - internal_tls_enabled
+                - - get_param: HAProxyInternalTLSKeysDirectory
+                  - get_param: HAProxyInternalTLSCertsDirectory
+                - null
            tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory}
            tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory}
            # disable the use CRL file until we can restart the container when the file expires
@ -260,7 +274,9 @@ outputs:
            volumes:
              list_concat:
                - {get_attr: [ContainersCommon, container_puppet_apply_volumes]}
-                - *deployed_cert_mount
+                - yaql:
+                    expression: $.data.select($+":"+$+":ro")
+                    data: *tls_mapping_init_bundle
                - if:
                  - docker_enabled
                  - - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro