From 4deea3a46babe9faabaec5b90e7425b4fe93915c Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Fri, 25 Jan 2019 17:26:31 +0100 Subject: [PATCH] redis: Remove default post-save command for certmonger The default command didn't work, so we need to fix that. The script additionally copies the certificates in the right place and instead of restarting stunnel, triggers a configuration reload. Related-Bug: #1811401 Needed-By: I49811a6cab5416d965ce1da93a71728ad5b1d27c Change-Id: I437d69fef45d1662e8908c5ca0f7063be6cb9b32 --- files/certmonger-redis-refresh.sh | 14 ++++++++++++++ manifests/certmonger/redis.pp | 8 +++++++- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 files/certmonger-redis-refresh.sh diff --git a/files/certmonger-redis-refresh.sh b/files/certmonger-redis-refresh.sh new file mode 100644 index 000000000..c6cafb082 --- /dev/null +++ b/files/certmonger-redis-refresh.sh @@ -0,0 +1,14 @@ +#!/bin/bash + + +container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli docker) + +container_name=$($container_cli ps --format="{{.Names}}" | grep redis_tls_proxy) + +service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::redis::service_certificate)" + +# Copy the new cert from the mount-point to the real path +$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem" + +# Trigger a reload for stunnel to read the new certificates +pkill -o -HUP stunnel diff --git a/manifests/certmonger/redis.pp b/manifests/certmonger/redis.pp index 1b3b119ea..aeabc4d75 100644 --- a/manifests/certmonger/redis.pp +++ b/manifests/certmonger/redis.pp @@ -33,7 +33,6 @@ # # [*postsave_cmd*] # (Optional) Specifies the command to execute after requesting a certificate. -# If nothing is given, it will default to: "systemctl restart ${service name}" # Defaults to undef. # # [*principal*] @@ -50,6 +49,13 @@ class tripleo::certmonger::redis ( ) { include ::certmonger + ensure_resource('file', '/usr/bin/certmonger-redis-refresh.sh', { + source => 'puppet:///modules/tripleo/certmonger-redis-refresh.sh', + mode => '0700', + seltype => 'bin_t', + notify => Service['certmonger'] + }) + certmonger_certificate { 'redis' : ensure => 'present', certfile => $service_certificate,