|
|
@ -270,59 +270,57 @@ outputs: |
|
|
|
type: node |
|
|
|
- null |
|
|
|
deploy_steps_tasks: |
|
|
|
if: |
|
|
|
- internal_tls_enabled |
|
|
|
- |
|
|
|
- name: Certificate generation |
|
|
|
when: step|int == 1 |
|
|
|
block: |
|
|
|
- include_role: |
|
|
|
name: linux-system-roles.certificate |
|
|
|
vars: |
|
|
|
certificate_requests: |
|
|
|
- name: rabbitmq |
|
|
|
dns: |
|
|
|
str_replace: |
|
|
|
template: "{{fqdn_$NETWORK}}" |
|
|
|
params: |
|
|
|
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} |
|
|
|
principal: |
|
|
|
str_replace: |
|
|
|
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}" |
|
|
|
params: |
|
|
|
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} |
|
|
|
run_after: | |
|
|
|
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?') |
|
|
|
service_crt="/etc/pki/tls/certs/rabbitmq.crt" |
|
|
|
service_key="/etc/pki/tls/private/rabbitmq.key" |
|
|
|
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then |
|
|
|
# lp#1917868: Do not use podman cp with HA containers as they get |
|
|
|
# frozen temporarily and that can make pacemaker operation fail. |
|
|
|
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv |
|
|
|
# no need to update the mount point, because pacemaker |
|
|
|
# recreates the container when it's restarted |
|
|
|
else |
|
|
|
# Refresh the cert at the mount-point |
|
|
|
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt" |
|
|
|
# Refresh the key at the mount-point |
|
|
|
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key" |
|
|
|
# Copy the new cert from the mount-point to the real path |
|
|
|
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" |
|
|
|
# Copy the new key from the mount-point to the real path |
|
|
|
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" |
|
|
|
fi |
|
|
|
# Set appropriate permissions |
|
|
|
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt" |
|
|
|
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key" |
|
|
|
# Trigger a pem cache clear in RabbitMQ to read the new certificates |
|
|
|
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()." |
|
|
|
key_size: |
|
|
|
if: |
|
|
|
- key_size_override_unset |
|
|
|
- {get_param: CertificateKeySize} |
|
|
|
- {get_param: RabbitmqMessageCertificateKeySize} |
|
|
|
ca: ipa |
|
|
|
- null |
|
|
|
- name: Certificate generation |
|
|
|
when: |
|
|
|
- step|int == 1 |
|
|
|
- enable_internal_tls |
|
|
|
block: |
|
|
|
- include_role: |
|
|
|
name: linux-system-roles.certificate |
|
|
|
vars: |
|
|
|
certificate_requests: |
|
|
|
- name: rabbitmq |
|
|
|
dns: |
|
|
|
str_replace: |
|
|
|
template: "{{fqdn_$NETWORK}}" |
|
|
|
params: |
|
|
|
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} |
|
|
|
principal: |
|
|
|
str_replace: |
|
|
|
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}" |
|
|
|
params: |
|
|
|
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} |
|
|
|
run_after: | |
|
|
|
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?') |
|
|
|
service_crt="/etc/pki/tls/certs/rabbitmq.crt" |
|
|
|
service_key="/etc/pki/tls/private/rabbitmq.key" |
|
|
|
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then |
|
|
|
# lp#1917868: Do not use podman cp with HA containers as they get |
|
|
|
# frozen temporarily and that can make pacemaker operation fail. |
|
|
|
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv |
|
|
|
# no need to update the mount point, because pacemaker |
|
|
|
# recreates the container when it's restarted |
|
|
|
else |
|
|
|
# Refresh the cert at the mount-point |
|
|
|
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt" |
|
|
|
# Refresh the key at the mount-point |
|
|
|
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key" |
|
|
|
# Copy the new cert from the mount-point to the real path |
|
|
|
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" |
|
|
|
# Copy the new key from the mount-point to the real path |
|
|
|
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" |
|
|
|
fi |
|
|
|
# Set appropriate permissions |
|
|
|
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt" |
|
|
|
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key" |
|
|
|
# Trigger a pem cache clear in RabbitMQ to read the new certificates |
|
|
|
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()." |
|
|
|
key_size: |
|
|
|
if: |
|
|
|
- key_size_override_unset |
|
|
|
- {get_param: CertificateKeySize} |
|
|
|
- {get_param: RabbitmqMessageCertificateKeySize} |
|
|
|
ca: ipa |
|
|
|
host_prep_tasks: |
|
|
|
- name: create persistent directories |
|
|
|
file: |
|
|
|