Fix double cert mount in haproxy bundle when using tls everywhere
When deploying with tls-everywhere the haproxy_init_bundle container
will bind mount /etc/ipa/ca.crt twice and starting with podman 1.{3,4}.x
this will break:
"stderr: Error: /etc/ipa/ca.crt: duplicate mount destination"
The TLS bind mounts are needed in haproxy_init_bundle (which is only
in charge of creating the pcmk resource) because puppet-haproxy uses
a validate command to check the config which will fail if we simply
remove those bind mounts. Instead of skipping this verification with
some parameter/tag, we try and avoid the duplicate cert by removing the
ca.crt bind mount from deployed_cert_mounts.
The duplication comes from:
1) https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/containers-common.yaml#L122-L127
2) https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/haproxy/haproxy-pacemaker-puppet.yaml#L263
Since changing it into 1) has large implication, we just avoid
redefining it in 2).
Tested with a full tls-everywhere deploy with the applied patch and the
error is not seen any longer.
(cherry picked from commit 668cc684fc
)
Change-Id: I6493fd090c808da01d19cc12d1b8371c67708904
Related-Bug: #1833347
Closes-Bug: #1846495
This commit is contained in:
parent
5f70fe6e30
commit
7e303fdbbb
@ -157,6 +157,20 @@ outputs:
|
||||
- get_param: HAProxyInternalTLSKeysDirectory
|
||||
- get_param: HAProxyInternalTLSCertsDirectory
|
||||
- null
|
||||
# The init bundle users the container_puppet_apply_volumes list. That already contains InternalTLSCAFile
|
||||
# and newer podmans refuse to start with duplicated mountpoints. That is why we cannot use tls_mapping
|
||||
# but need a new mapping
|
||||
tripleo::profile::pacemaker::haproxy_bundle::tls_mapping_init_bundle: &tls_mapping_init_bundle
|
||||
list_concat:
|
||||
- if:
|
||||
- public_tls_enabled
|
||||
- - get_param: DeployedSSLCertificatePath
|
||||
- null
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- - get_param: HAProxyInternalTLSKeysDirectory
|
||||
- get_param: HAProxyInternalTLSCertsDirectory
|
||||
- null
|
||||
tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory}
|
||||
tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory}
|
||||
# disable the use CRL file until we can restart the container when the file expires
|
||||
@ -260,7 +274,9 @@ outputs:
|
||||
volumes:
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, container_puppet_apply_volumes]}
|
||||
- *deployed_cert_mount
|
||||
- yaql:
|
||||
expression: $.data.select($+":"+$+":ro")
|
||||
data: *tls_mapping_init_bundle
|
||||
- if:
|
||||
- docker_enabled
|
||||
- - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro
|
||||
|
Loading…
Reference in New Issue
Block a user