Merge "rabbitmq: Remove default post-save command for certmonger"

files/certmonger-rabbitmq-refresh.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+
+container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli docker)
+
+container_name=$($container_cli ps --format="{{.Names}}" | grep rabbitmq)
+
+service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::rabbitmq::service_certificate)"
+
+# Copy the new cert from the mount-point to the real path
+$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
+
+# Set appropriate permissions
+$container_cli exec "$container_name" chown rabbitmq:rabbitmq "$service_pem"
+
+# Trigger a pem cache clear in RabbitMQ to read the new certificates
+$container_cli exec $container_name rabbitmqctl eval "ssl:clear_pem_cache()."

manifests/certmonger/rabbitmq.pp

@@ -33,7 +33,6 @@
 #
 # [*postsave_cmd*]
 #   (Optional) Specifies the command to execute after requesting a certificate.
-#   If nothing is given, it will default to: "systemctl restart ${service name}"
 #   Defaults to undef.
 #
 # [*principal*]
@@ -51,7 +50,13 @@ class tripleo::certmonger::rabbitmq (
   include ::certmonger
   include ::rabbitmq::params
 
-  $postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::rabbitmq::params::service_name}")
+  ensure_resource('file', '/usr/bin/certmonger-rabbitmq-refresh.sh', {
+    source  => 'puppet:///modules/tripleo/certmonger-rabbitmq-refresh.sh',
+    mode    => '0700',
+    seltype => 'bin_t',
+    notify  => Service['certmonger']
+  })
+
   certmonger_certificate { 'rabbitmq' :
     ensure       => 'present',
     certfile     => $service_certificate,
@@ -59,7 +64,7 @@ class tripleo::certmonger::rabbitmq (
     hostname     => $hostname,
     dnsname      => $hostname,
     principal    => $principal,
-    postsave_cmd => $postsave_cmd_real,
+    postsave_cmd => $postsave_cmd,
     ca           => $certmonger_ca,
     wait         => true,
     require      => Class['::certmonger'],