HA: inject public certificates without blocking container

Do not inject public certificates in pacemaker bundles by means of "podman cp", as this pauses the container for a short amount of time and can make pacemaker operation fail during that time window and impact cluster for no reason. Keep "podman cp" for non-HA containers, as the freeze is short and doesn't seem to impact podman monitoring anyway. The new certificate injection only works for podman 1.9+, lower version won't overwrite the existing certificate. Closes-Bug: #1917868 Change-Id: Id7308f028f33716be5e3df6699c3f2c12e33e344
2021-03-22 18:04:08 +01:00 · 2021-03-22 18:04:08 +01:00 · 93e53b7429
parent b5ecde2f27
commit 93e53b7429
6 changed files with 79 additions and 21 deletions
--- a/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml
+++ b/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml
@ -135,10 +135,19 @@ outputs:
                            cat "$service_crt" "$ca_path" "$service_key" > "$service_pem"

                            container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
-                            # Refresh the pem at the mount-point
-                            {{container_cli}} cp $service_pem "$container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
-                            # Copy the new pem from the mount-point to the real path
-                            {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
+                            # Inject the new pem into the running container
+                            if echo "$container_name" | grep -q "^haproxy-bundle"; then
+                              # lp#1917868: Do not use podman cp with HA containers as they get
+                              # frozen temporarily and that can make pacemaker operation fail.
+                              tar -c "$service_pem" | {{container_cli}} exec -i "$container_name" tar -C / -xv
+                              # no need to update the mount point, because pacemaker
+                              # recreates the container when it's restarted
+                            else
+                              # Refresh the pem at the mount-point
+                              {{container_cli}} cp $service_pem "$container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
+                              # Copy the new pem from the mount-point to the real path
+                              {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
+                            fi
                            # Set appropriate permissions
                            {{container_cli}} exec "$container_name" chown haproxy:haproxy "$service_pem"
                            # Trigger a reload for HAProxy to read the new certificates
--- a/deployment/haproxy/haproxy-public-tls-certmonger.yaml
+++ b/deployment/haproxy/haproxy-public-tls-certmonger.yaml
@ -139,10 +139,19 @@ outputs:
                          cat "$service_crt" "$ca_path" "$service_key" > "$service_pem"

                          container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
-                          # Refresh the pem at the mount-point
-                          {{container_cli}} cp $service_pem "$container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
-                          # Copy the new pem from the mount-point to the real path
-                          {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
+                          # Inject the new pem into the running container
+                          if echo "$container_name" | grep -q "^haproxy-bundle"; then
+                            # lp#1917868: Do not use podman cp with HA containers as they get
+                            # frozen temporarily and that can make pacemaker operation fail.
+                            tar -c "$service_pem" | {{container_cli}} exec -i "$container_name" tar -C / -xv
+                            # no need to update the mount point, because pacemaker
+                            # recreates the container when it's restarted
+                          else
+                            # Refresh the pem at the mount-point
+                            {{container_cli}} cp $service_pem "$container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
+                            # Copy the new pem from the mount-point to the real path
+                            {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
+                          fi
                          # Set appropriate permissions
                          {{container_cli}} exec "$container_name" chown haproxy:haproxy "$service_pem"
                          # Trigger a reload for HAProxy to read the new certificates
--- a/deployment/haproxy/haproxy-public-tls-inject.yaml
+++ b/deployment/haproxy/haproxy-public-tls-inject.yaml
@ -175,7 +175,11 @@ outputs:
                - name: copy certificate, chgrp, restart haproxy
                  shell: |
                    set -e
-                    {{ container_cli }} cp {{ cert_path }} {{ item }}:{{ cert_path }}
+                    if echo {{ item }} | grep -q "^haproxy-bundle"; then
+                      tar -c {{ cert_path }} | {{container_cli}} exec -i {{ item }} tar -C / -xv
+                    else
+                      {{ container_cli }} cp {{ cert_path }} {{ item }}:{{ cert_path }}
+                    fi
                    {{ container_cli }} exec --user root {{ item }} chgrp haproxy {{ cert_path }}
                    {{ container_cli }} kill --signal=HUP {{ item }}
                  with_items: "{{ container_id.stdout.split('\n') }}"
--- a/deployment/rabbitmq/rabbitmq-container-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-container-puppet.yaml
@ -360,10 +360,22 @@ outputs:
                          container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
                          service_crt="/etc/pki/tls/certs/rabbitmq.crt"
                          service_key="/etc/pki/tls/private/rabbitmq.key"
-                          # Copy the new cert from the mount-point to the real path
-                          {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
-                          # Copy the new key from the mount-point to the real path
-                          {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
+                          if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
+                            # lp#1917868: Do not use podman cp with HA containers as they get
+                            # frozen temporarily and that can make pacemaker operation fail.
+                            tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
+                            # no need to update the mount point, because pacemaker
+                            # recreates the container when it's restarted
+                          else
+                            # Refresh the cert at the mount-point
+                            {{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
+                            # Refresh the key at the mount-point
+                            {{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
+                            # Copy the new cert from the mount-point to the real path
+                            {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
+                            # Copy the new key from the mount-point to the real path
+                            {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
+                          fi
                          # Set appropriate permissions
                          {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
                          {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
--- a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml
@ -295,10 +295,22 @@ outputs:
                          container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
                          service_crt="/etc/pki/tls/certs/rabbitmq.crt"
                          service_key="/etc/pki/tls/private/rabbitmq.key"
-                          # Copy the new cert from the mount-point to the real path
-                          {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
-                          # Copy the new key from the mount-point to the real path
-                          {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
+                          if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
+                            # lp#1917868: Do not use podman cp with HA containers as they get
+                            # frozen temporarily and that can make pacemaker operation fail.
+                            tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
+                            # no need to update the mount point, because pacemaker
+                            # recreates the container when it's restarted
+                          else
+                            # Refresh the cert at the mount-point
+                            {{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
+                            # Refresh the key at the mount-point
+                            {{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
+                            # Copy the new cert from the mount-point to the real path
+                            {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
+                            # Copy the new key from the mount-point to the real path
+                            {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
+                          fi
                          # Set appropriate permissions
                          {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
                          {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
--- a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
@ -295,10 +295,22 @@ outputs:
                          container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
                          service_crt="/etc/pki/tls/certs/rabbitmq.crt"
                          service_key="/etc/pki/tls/private/rabbitmq.key"
-                          # Copy the new cert from the mount-point to the real path
-                          {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
-                          # Copy the new key from the mount-point to the real path
-                          {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
+                          if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
+                            # lp#1917868: Do not use podman cp with HA containers as they get
+                            # frozen temporarily and that can make pacemaker operation fail.
+                            tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
+                            # no need to update the mount point, because pacemaker
+                            # recreates the container when it's restarted
+                          else
+                            # Refresh the cert at the mount-point
+                            {{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
+                            # Refresh the key at the mount-point
+                            {{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
+                            # Copy the new cert from the mount-point to the real path
+                            {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
+                            # Copy the new key from the mount-point to the real path
+                            {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
+                          fi
                          # Set appropriate permissions
                          {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
                          {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"