Browse Source

HA: inject public certificates without blocking container

Do not inject public certificates in pacemaker bundles by means
of "podman cp", as this pauses the container for a short amount
of time and can make pacemaker operation fail during that time
window and impact cluster for no reason.

Keep "podman cp" for non-HA containers, as the freeze is short
and doesn't seem to impact podman monitoring anyway.

The new certificate injection only works for podman 1.9+, lower
version won't overwrite the existing certificate.

(cherry-picked from 93e53b7429)
(squashed with Ic6e4264c5ad46bd2589cc907c365af2d42fde63d)
(removed a part that should stay in puppet-tripleo before wallaby)

Closes-Bug: #1917868

Change-Id: Id7308f028f33716be5e3df6699c3f2c12e33e344
changes/49/783949/3
Damien Ciabrini 3 months ago
parent
commit
ab5d866cbc
1 changed files with 5 additions and 1 deletions
  1. +5
    -1
      deployment/haproxy/haproxy-public-tls-inject.yaml

+ 5
- 1
deployment/haproxy/haproxy-public-tls-inject.yaml View File

@ -178,7 +178,11 @@ outputs:
- name: copy certificate, chgrp, restart haproxy
shell: |
set -e
{{ container_cli }} cp {{ cert_path }} {{ item }}:{{ cert_path }}
if {{ container_cli }} ps -f "id={{ item }}" --format "{{ '{{' }}.Names{{ '}}' }}" | grep -q "^haproxy-bundle"; then
tar -c {{ cert_path }} | {{container_cli}} exec -i {{ item }} tar -C / -xv
else
{{ container_cli }} cp {{ cert_path }} {{ item }}:{{ cert_path }}
fi
{{ container_cli }} exec --user root {{ item }} chgrp haproxy {{ cert_path }}
{{ container_cli }} kill --signal=HUP {{ item }}
with_items: "{{ container_id.stdout.split('\n') }}"

Loading…
Cancel
Save