reload HAProxy config in HA setups when certificate is updated
When updating a certificate for HAProxy, we only do a reload of the configuration on non-HA setups. This means that if we try the same in an HA setup, the cloud will still serve the old certificate and that leads to several issues, such as serving a revoked or even a compromised certificate for some time, or just SSL issues that the certificate doesn't match. This enables a reload for HA cases too. Change-Id: Ib8ca2fe91be345ef4324fc8265c45df8108add7a Closes-Bug: #1629886
This commit is contained in:
parent
935fbd6feb
commit
b74b6793d2
|
@ -64,11 +64,9 @@ resources:
|
|||
| openssl md5 | cut -c 10- \
|
||||
> ${heat_outputs_path}.key_modulus
|
||||
# We need to reload haproxy in case the certificate changed because
|
||||
# puppet doesn't know the contents of the cert file. The pacemaker
|
||||
# case is handled separately in a pacemaker-specific resource.
|
||||
pacemaker_status=$(systemctl is-active pacemaker)
|
||||
# puppet doesn't know the contents of the cert file.
|
||||
haproxy_status=$(systemctl is-active haproxy)
|
||||
if [ "$pacemaker_status" != "active" -a "$haproxy_status" = "active"]; then
|
||||
if [ "$haproxy_status" = "active" ]; then
|
||||
systemctl reload haproxy
|
||||
fi
|
||||
|
||||
|
|
Loading…
Reference in New Issue