This was mainly there as an legacy interface which was
for internal use. Now that we pull the passwords from
the existing environment and don't use it, we can drop
this.
Reduces a number of heat resources.
Change-Id: If83d0f3d72a229d737a45b2fd37507dc11a04649
This reverts commit 8e5d5283cc466b07616a57eeeee28859300022ab.
Reason for revert: broke OVB periodic jobs
Closes-Bug: #1908976
Change-Id: I9e8c2c96706e9abf9739b8a857231f522542fa5f
There are certain HA clustered services (e.g. galera) that don't
have the ability natively to reload their TLS certificate without
being restarted. If too many replicas are restarted concurrently
this might result in full service disruption.
To ensure service availability, provide a means to ensure that
only one service replica is restarted at a time in the cluster.
This works by using pacemaker's CIB to implement a cluster-wide
restart lock for a service. The lock has a TTL so it's guaranteed
to be eventually released without requiring complex contingency
cleanup in case of failures.
Tested locally by running the following:
1. force recreate certificate on all nodes at once for galera
(ipa-cert resubmit -i mysql), and verify that the resources
restart one after the other
2. create a lock manually in pacemaker, recreate certificate for
galera on all nodes, and verify that no resource is restarted
before the manually created lock expires.
3. create a lock manually, let it expires, recreate a certificate,
and verify that the resource is restarted appropriately and the
lock gets cleaned up from pacemaker once the restart finished.
Closes-Bug: #1885113
Change-Id: Ib2b62e33b34cf72edfdae6299cf432259bf960a2
Current puppet modules uses only absolute name to include classes,
so replace relative name by absolute name in template files so that
template description can be consistent with puppet implementation.
Change-Id: I7a704d113289d61ed05f7a31d65caf2908a7994a
In commit 37a339d2b0f0282bf1bac96587b10ca61868cec5 , the hieradata
parameter certmonger_ca was set to only be set when internal_tls was
enabled.
This breaks cert issuance by an non-local certmonger CA when the
issuing the haproxy cert on the undercloud eg. issuing this cert by
IPA, which relies on this hieradata being set.
There is no reason to restrict this data from being set, and doing so
fixes the problem. (rhbz#1793975)
The remaining data should be set only when internal_tls is enabled.
Change-Id: If3e3870dd7bd087984e433f7aa832d1bb0ac5b2b
Fixes-Bug: 1860718