redis: Remove default post-save command for certmonger

The default command didn't work, so we need to fix that.

The script additionally copies the certificates in the right place
and instead of restarting stunnel, triggers a configuration reload.

Related-Bug: #1811401
Needed-By: I49811a6cab5416d965ce1da93a71728ad5b1d27c
Change-Id: I437d69fef45d1662e8908c5ca0f7063be6cb9b32
(cherry picked from commit 4deea3a46b)
This commit is contained in:
Grzegorz Grasza 2019-01-25 17:26:31 +01:00
parent 219c0f483c
commit 763467d7ac
2 changed files with 21 additions and 1 deletions

View File

@ -0,0 +1,14 @@
#!/bin/bash
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli docker)
container_name=$($container_cli ps --format="{{.Names}}" | grep redis_tls_proxy)
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::redis::service_certificate)"
# Copy the new cert from the mount-point to the real path
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
# Trigger a reload for stunnel to read the new certificates
pkill -o -HUP stunnel

View File

@ -33,7 +33,6 @@
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# If nothing is given, it will default to: "systemctl restart ${service name}"
# Defaults to undef.
#
# [*principal*]
@ -50,6 +49,13 @@ class tripleo::certmonger::redis (
) {
include ::certmonger
ensure_resource('file', '/usr/bin/certmonger-redis-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-redis-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { 'redis' :
ensure => 'present',
certfile => $service_certificate,