HAProxy: Make certmonger bundle the cert and key on renewal

the postsave command is ran by certmonger when a certificate is requested (which will happen on certificate renewal). The previous command given didn't take into account the file that haproxy expects, which is a bundled PEM file with both the certificate and the key. Thus, certmonger would have never generated a new bundle that haproxy would use, resulting in haproxy always having an old bundle after certificate expiration. This fixes that. Change-Id: Idb650d35f56abaf6a17e17794a068dd5933e6a62 Closes-Bug: #1712514
2017-08-23 12:20:20 +03:00 · 2017-08-23 12:20:20 +03:00 · e1791a37d5
parent 351ab93251
commit e1791a37d5
1 changed files with 14 additions and 1 deletions
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@ -74,7 +74,20 @@ define tripleo::certmonger::haproxy (
      $dnsnames_real = $hostname
    }

-    $postsave_cmd_real = pick($postsave_cmd, 'if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi')
+    if $certmonger_ca == 'local' {
+      $ca_fragment = $ca_pem
+    } else {
+      $ca_fragment = ''
+    }
+
+    $concat_pem = "cat ${service_certificate} ${ca_fragment} ${service_key} > ${service_pem}"
+    if $postsave_cmd {
+      $postsave_cmd_real = "${concat_pem} && ${postsave_cmd}"
+    } else {
+      $reload_haproxy_cmd = 'if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi'
+      $postsave_cmd_real = "${concat_pem} && ${reload_haproxy_cmd}"
+    }
+
    certmonger_certificate { "${title}-cert":
      ensure       => 'present',
      ca           => $certmonger_ca,