From 7cc4a3da6f6f458918a6b8ca4b6bce25197e2974 Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Fri, 1 Feb 2019 17:00:01 +0100 Subject: [PATCH] neutron dhcpd: Add script for certmonger postsave_cmd The default update procedure didn't work, so are fixing that. Related-Bug: #1811401 Needed-By: I449df13ea2c49a8cf6d2e8e632b2b39707071c52 Change-Id: I9954cf33efedf2ec3dfb03109595cd4431feff60 --- files/certmonger-neutron-dhcpd-refresh.sh | 21 +++++++++++++++++++++ manifests/certmonger/neutron.pp | 8 +++++++- 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 files/certmonger-neutron-dhcpd-refresh.sh diff --git a/files/certmonger-neutron-dhcpd-refresh.sh b/files/certmonger-neutron-dhcpd-refresh.sh new file mode 100644 index 000000000..9bc600eee --- /dev/null +++ b/files/certmonger-neutron-dhcpd-refresh.sh @@ -0,0 +1,21 @@ +#!/bin/bash + + +container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli docker) + +container_name=$($container_cli ps --format="{{.Names}}" | grep neutron_dhcp) + +# The certificate is also installed on the computes, but neutron_dhcp is only +# present on the controllers, so we exit if the container could not be found. +[[ -z $container_name ]] && exit 0 + +service_crt="$(hiera -c /etc/puppet/hiera.yaml neutron::agents::dhcp::ovsdb_agent_ssl_cert_file)" +service_key="$(hiera -c /etc/puppet/hiera.yaml neutron::agents::dhcp::ovsdb_agent_ssl_key_file)" + +# Copy the new cert from the mount-point to the real path +$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" + +# Copy the new key from the mount-point to the real path +$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" + +# No need to trigger a reload for neutron dhcpd since the cert is not cached diff --git a/manifests/certmonger/neutron.pp b/manifests/certmonger/neutron.pp index ec25aba5b..4260318c6 100644 --- a/manifests/certmonger/neutron.pp +++ b/manifests/certmonger/neutron.pp @@ -33,7 +33,6 @@ # # [*postsave_cmd*] # (Optional) Specifies the command to execute after requesting a certificate. -# Defaults to 'if systemctl -q is-active opendaylight; then systemctl restart opendaylight; else true; fi' # # [*principal*] # (Optional) The haproxy service principal that is set for neutron in kerberos. @@ -49,6 +48,13 @@ class tripleo::certmonger::neutron ( ) { include ::certmonger + ensure_resource('file', '/usr/bin/certmonger-neutron-dhcpd-refresh.sh', { + source => 'puppet:///modules/tripleo/certmonger-neutron-dhcpd-refresh.sh', + mode => '0700', + seltype => 'bin_t', + notify => Service['certmonger'] + }) + certmonger_certificate { 'neutron' : ensure => 'present', certfile => $service_certificate,