From 801391a13eec513f7e0f5dba09b1214e4db8abf4 Mon Sep 17 00:00:00 2001
From: Grzegorz Grasza <xek@redhat.com>
Date: Fri, 25 Jan 2019 14:54:00 +0100
Subject: [PATCH] rabbitmq:  Remove default post-save command for certmonger

The default command didn't work, so we need to fix that.

The script additionally copies the certificates in the right place
and instead of restarting RabbitMQ, it triggers a pem cache reload.

Related-Bug: #1811401
Needed-By: I3e564f9a5abdbf11d0580c4ff801092f32bcc678
Change-Id: Id06633a1adaafe1fef1d3d7f6b2af3ef5ffc9d4a
---
 files/certmonger-rabbitmq-refresh.sh | 17 +++++++++++++++++
 manifests/certmonger/rabbitmq.pp     | 11 ++++++++---
 2 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 files/certmonger-rabbitmq-refresh.sh

diff --git a/files/certmonger-rabbitmq-refresh.sh b/files/certmonger-rabbitmq-refresh.sh
new file mode 100644
index 000000000..3ec4fec8c
--- /dev/null
+++ b/files/certmonger-rabbitmq-refresh.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+
+container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli docker)
+
+container_name=$($container_cli ps --format="{{.Names}}" | grep rabbitmq)
+
+service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::rabbitmq::service_certificate)"
+
+# Copy the new cert from the mount-point to the real path
+$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
+
+# Set appropriate permissions
+$container_cli exec "$container_name" chown rabbitmq:rabbitmq "$service_pem"
+
+# Trigger a pem cache clear in RabbitMQ to read the new certificates
+$container_cli exec $container_name rabbitmqctl eval "ssl:clear_pem_cache()."
diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp
index 5b9dafd06..8eb3dd52a 100644
--- a/manifests/certmonger/rabbitmq.pp
+++ b/manifests/certmonger/rabbitmq.pp
@@ -33,7 +33,6 @@
 #
 # [*postsave_cmd*]
 #   (Optional) Specifies the command to execute after requesting a certificate.
-#   If nothing is given, it will default to: "systemctl restart ${service name}"
 #   Defaults to undef.
 #
 # [*principal*]
@@ -51,7 +50,13 @@ class tripleo::certmonger::rabbitmq (
   include ::certmonger
   include ::rabbitmq::params
 
-  $postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::rabbitmq::params::service_name}")
+  ensure_resource('file', '/usr/bin/certmonger-rabbitmq-refresh.sh', {
+    source  => 'puppet:///modules/tripleo/certmonger-rabbitmq-refresh.sh',
+    mode    => '0700',
+    seltype => 'bin_t',
+    notify  => Service['certmonger']
+  })
+
   certmonger_certificate { 'rabbitmq' :
     ensure       => 'present',
     certfile     => $service_certificate,
@@ -59,7 +64,7 @@ class tripleo::certmonger::rabbitmq (
     hostname     => $hostname,
     dnsname      => $hostname,
     principal    => $principal,
-    postsave_cmd => $postsave_cmd_real,
+    postsave_cmd => $postsave_cmd,
     ca           => $certmonger_ca,
     wait         => true,
     require      => Class['::certmonger'],