Revert rolling certificate updates for HA services

Currently galera and ovn require a coordinated restart across
the controller node when certmonger determines the certificate
for a node has expired and it needs to regenerate it.

But right now, when the tripleo certmonger puppet module is
called to assert to state of the certificates, it ends up
regenerating new certificate unconditionally. So the galera and
ovn get restarted on stack update, even when there is no need to.

To mitigate these unecessary restarts, disable the post-action
for now until we fix the behaviour of tripleo's certmonger puppet
module. This has the side effect that services won't get restarted
automatically if no stack update takes place until the certificate
expiration date is reached.

Related-Bug: #1906505

Change-Id: I17f1364932e43b8487515084e41b525e186888db
Damien Ciabrini 2020-11-30 17:13:50 +01:00
parent d04421d48a
commit 8b16911cc2
2 changed files with 0 additions and 4 deletions

View File

@ -173,8 +173,6 @@ outputs:
- internal_tls_enabled
/usr/bin/ mysql galera galera-bundle Master
get_param: InternalTLSCAFile
- {}

View File

@ -170,8 +170,6 @@ outputs:
- if:
- internal_tls_enabled
- generate_service_certificates: true
/usr/bin/ ovn_dbs ovndb_servers ovn-dbs-bundle Slave Master
get_param: InternalTLSCAFile
tripleo::profile::base::neutron::agents::ovn::protocol: 'ssl'