From ab5d866cbc8bd61e04010611b028f9d20292bbe5 Mon Sep 17 00:00:00 2001 From: Damien Ciabrini Date: Mon, 22 Mar 2021 18:04:08 +0100 Subject: [PATCH] HA: inject public certificates without blocking container Do not inject public certificates in pacemaker bundles by means of "podman cp", as this pauses the container for a short amount of time and can make pacemaker operation fail during that time window and impact cluster for no reason. Keep "podman cp" for non-HA containers, as the freeze is short and doesn't seem to impact podman monitoring anyway. The new certificate injection only works for podman 1.9+, lower version won't overwrite the existing certificate. (cherry-picked from 93e53b74293cb4478ea415255fee96e7fddda004) (squashed with Ic6e4264c5ad46bd2589cc907c365af2d42fde63d) (removed a part that should stay in puppet-tripleo before wallaby) Closes-Bug: #1917868 Change-Id: Id7308f028f33716be5e3df6699c3f2c12e33e344 --- deployment/haproxy/haproxy-public-tls-inject.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/deployment/haproxy/haproxy-public-tls-inject.yaml b/deployment/haproxy/haproxy-public-tls-inject.yaml index 9f62ca2bd6..3b06af25e2 100644 --- a/deployment/haproxy/haproxy-public-tls-inject.yaml +++ b/deployment/haproxy/haproxy-public-tls-inject.yaml @@ -178,7 +178,11 @@ outputs: - name: copy certificate, chgrp, restart haproxy shell: | set -e - {{ container_cli }} cp {{ cert_path }} {{ item }}:{{ cert_path }} + if {{ container_cli }} ps -f "id={{ item }}" --format "{{ '{{' }}.Names{{ '}}' }}" | grep -q "^haproxy-bundle"; then + tar -c {{ cert_path }} | {{container_cli}} exec -i {{ item }} tar -C / -xv + else + {{ container_cli }} cp {{ cert_path }} {{ item }}:{{ cert_path }} + fi {{ container_cli }} exec --user root {{ item }} chgrp haproxy {{ cert_path }} {{ container_cli }} kill --signal=HUP {{ item }} with_items: "{{ container_id.stdout.split('\n') }}"