59 lines
2.2 KiB
Django/Jinja
59 lines
2.2 KiB
Django/Jinja
#!/bin/bash
|
|
|
|
# This script is meant to reload HAProxy when letsencrypt triggers a certificate
|
|
# renewal. It'll concatenate the needed certificates for the PEM file that
|
|
# HAProxy reads.
|
|
|
|
{% raw %}
|
|
die() { echo "$*" 1>&2 ; exit 1; }
|
|
{% endraw %}
|
|
|
|
H_NAME="{{ letsencrypt_acme_sh_certs_data_prefix }}"
|
|
LE_CERTS_DIR=/var/lib/acme/live/$H_NAME
|
|
|
|
{% raw %}
|
|
LE_ENV_FILE=/etc/default/acme_sh_request_env
|
|
if [ -f "$LE_ENV_FILE" ] ; then
|
|
. "$LE_ENV_FILE"
|
|
else
|
|
die "No letsencrypt client configuration available"
|
|
fi
|
|
|
|
ACTION=reload
|
|
|
|
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
|
|
|
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::haproxy::service_certificate)"
|
|
|
|
cat ${LE_CERTS_DIR}/{fullchain,privkey} > "$service_pem"
|
|
chmod 0440 "$service_pem"
|
|
|
|
haproxy_container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
|
|
|
|
if [ "$ACTION" == "reload" ]; then
|
|
# Inject the new certificate into the running container
|
|
if echo "$haproxy_container_name" | grep -q "^haproxy-bundle"; then
|
|
# lp#1917868: Do not use podman cp with HA containers as they get
|
|
# frozen temporarily and that can make pacemaker operation fail.
|
|
tar -c "$service_pem" | $container_cli exec -i "$haproxy_container_name" tar -C / -xv
|
|
# no need to update the mount point, because pacemaker
|
|
# recreates the container when it's restarted
|
|
else
|
|
# Refresh the pem at the mount-point
|
|
$container_cli cp $service_pem "$haproxy_container_name:/var/lib/kolla/config_files/src-tls${service_pem}"
|
|
# Copy the new pem from the mount-point to the real path
|
|
$container_cli exec "$haproxy_container_name" cp "/var/lib/kolla/config_files/src-tls${service_pem}" "$service_pem"
|
|
fi
|
|
|
|
# Set appropriate permissions
|
|
$container_cli exec "$haproxy_container_name" chown haproxy:haproxy "$service_pem"
|
|
|
|
# Trigger a reload for HAProxy to read the new certificates
|
|
$container_cli kill --signal HUP "$haproxy_container_name"
|
|
elif [ "$ACTION" == "restart" ]; then
|
|
# Copying the certificate and permissions will be handled by kolla's start
|
|
# script.
|
|
$container_cli restart "$haproxy_container_name"
|
|
fi
|
|
{% endraw %}
|