From 095d130f9dbadb698c2c349819e754a907455ee0 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Wed, 16 Aug 2017 09:26:42 +0300
Subject: Certmonger: Make postsave command configurable

We need to make it configurable since these commands don't apply for
containerized environments. This way we can restart containers or
disable restarting and rely on other means.

This stems from the issue that some services get accidentally started by
certmonger on containerized environments, which makes the container
initialization fail.

bp tls-via-certmonger-containers

Change-Id: I62ff89362cfcc80e6e62fad09110918c36802813
---
 manifests/certmonger/haproxy.pp           | 13 +++++++------
 manifests/certmonger/httpd.pp             | 10 ++++++++--
 manifests/certmonger/mongodb.pp           | 10 ++++++++--
 manifests/certmonger/mysql.pp             | 10 ++++++++--
 manifests/certmonger/rabbitmq.pp          | 10 ++++++++--
 manifests/profile/base/certmonger_user.pp | 18 ++++++++++++++++--
 6 files changed, 55 insertions(+), 16 deletions(-)

diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp
index d4f4ad2..819348d 100644
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@@ -32,10 +32,6 @@
 #   The hostname that certmonger will use as the common name for the
 #   certificate.
 #
-# [*postsave_cmd*]
-#   The post-save-command that certmonger will use once it renews the
-#   certificate.
-#
 # [*certmonger_ca*]
 #   (Optional) The CA that certmonger will use to generate the certificates.
 #   Defaults to hiera('certmonger_ca', 'local').
@@ -48,15 +44,19 @@
 # [*principal*]
 #   The haproxy service principal that is set for HAProxy in kerberos.
 #
+# [*postsave_cmd*]
+#   The post-save-command that certmonger will use once it renews the
+#   certificate.
+#
 define tripleo::certmonger::haproxy (
   $service_pem,
   $service_certificate,
   $service_key,
   $hostname,
-  $postsave_cmd,
   $certmonger_ca = hiera('certmonger_ca', 'local'),
   $dnsnames      = undef,
   $principal     = undef,
+  $postsave_cmd  = undef,
 ){
     include ::certmonger
     include ::haproxy::params
@@ -74,6 +74,7 @@ define tripleo::certmonger::haproxy (
       $dnsnames_real = $hostname
     }
 
+    $postsave_cmd_real = pick($postsave_cmd, 'systemctl reload haproxy')
     certmonger_certificate { "${title}-cert":
       ensure       => 'present',
       ca           => $certmonger_ca,
@@ -81,7 +82,7 @@ define tripleo::certmonger::haproxy (
       dnsname      => $dnsnames_real,
       certfile     => $service_certificate,
       keyfile      => $service_key,
-      postsave_cmd => $postsave_cmd,
+      postsave_cmd => $postsave_cmd_real,
       principal    => $principal,
       wait         => true,
       tag          => 'haproxy-cert',
diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp
index e9754f7..1b57984 100644
--- a/manifests/certmonger/httpd.pp
+++ b/manifests/certmonger/httpd.pp
@@ -36,6 +36,11 @@
 #   in the certificate. If left unset, the value will be set to the $hostname.
 #   Defaults to undef
 #
+# [*postsave_cmd*]
+#   (Optional) Specifies the command to execute after requesting a certificate.
+#   If nothing is given, it will default to: "systemctl restart ${service name}"
+#   Defaults to undef.
+#
 # [*principal*]
 #   The haproxy service principal that is set for HAProxy in kerberos.
 #
@@ -45,6 +50,7 @@ define tripleo::certmonger::httpd (
   $service_key,
   $certmonger_ca = hiera('certmonger_ca', 'local'),
   $dnsnames      = undef,
+  $postsave_cmd  = undef,
   $principal     = undef,
 ) {
   include ::certmonger
@@ -56,7 +62,7 @@ define tripleo::certmonger::httpd (
     $dnsnames_real = $hostname
   }
 
-  $postsave_cmd = "systemctl reload ${::apache::params::service_name}"
+  $postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${::apache::params::service_name}")
   certmonger_certificate { $name :
     ensure       => 'present',
     certfile     => $service_certificate,
@@ -64,7 +70,7 @@ define tripleo::certmonger::httpd (
     hostname     => $hostname,
     dnsname      => $dnsnames_real,
     principal    => $principal,
-    postsave_cmd => $postsave_cmd,
+    postsave_cmd => $postsave_cmd_real,
     ca           => $certmonger_ca,
     wait         => true,
     tag          => 'apache-cert',
diff --git a/manifests/certmonger/mongodb.pp b/manifests/certmonger/mongodb.pp
index 0b2dd6a..37af82c 100644
--- a/manifests/certmonger/mongodb.pp
+++ b/manifests/certmonger/mongodb.pp
@@ -34,6 +34,11 @@
 #   (Optional) The CA that certmonger will use to generate the certificates.
 #   Defaults to hiera('certmonger_ca', 'local').
 #
+# [*postsave_cmd*]
+#   (Optional) Specifies the command to execute after requesting a certificate.
+#   If nothing is given, it will default to: "systemctl restart ${service name}"
+#   Defaults to undef.
+#
 # [*principal*]
 #   (Optional) The service principal that is set for the service in kerberos.
 #   Defaults to undef
@@ -44,12 +49,13 @@ class tripleo::certmonger::mongodb (
   $service_key,
   $service_pem,
   $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $postsave_cmd  = undef,
   $principal     = undef,
 ) {
   include ::certmonger
   include ::mongodb::params
 
-  $postsave_cmd  = "systemctl restart ${::mongodb::params::service_name}"
+  $postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::mongodb::params::service_name}")
   certmonger_certificate { 'mongodb' :
     ensure       => 'present',
     certfile     => $service_certificate,
@@ -57,7 +63,7 @@ class tripleo::certmonger::mongodb (
     hostname     => $hostname,
     dnsname      => $hostname,
     principal    => $principal,
-    postsave_cmd => $postsave_cmd,
+    postsave_cmd => $postsave_cmd_real,
     ca           => $certmonger_ca,
     wait         => true,
     require      => Class['::certmonger'],
diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp
index 0988c55..ae408b6 100644
--- a/manifests/certmonger/mysql.pp
+++ b/manifests/certmonger/mysql.pp
@@ -37,6 +37,11 @@
 #   This parameter can take both a string or an array of strings.
 #   Defaults to $hostname
 #
+# [*postsave_cmd*]
+#   (Optional) Specifies the command to execute after requesting a certificate.
+#   If nothing is given, it will default to: "systemctl restart ${service name}"
+#   Defaults to undef.
+#
 # [*principal*]
 #   (Optional) The haproxy service principal that is set for MySQL in kerberos.
 #   Defaults to undef
@@ -47,12 +52,13 @@ class tripleo::certmonger::mysql (
   $service_key,
   $certmonger_ca = hiera('certmonger_ca', 'local'),
   $dnsnames      = $hostname,
+  $postsave_cmd  = undef,
   $principal     = undef,
 ) {
   include ::certmonger
   include ::mysql::params
 
-  $postsave_cmd        = "systemctl reload ${::mysql::params::server_service_name}"
+  $postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${::mysql::params::server_service_name}")
   certmonger_certificate { 'mysql' :
     ensure       => 'present',
     certfile     => $service_certificate,
@@ -60,7 +66,7 @@ class tripleo::certmonger::mysql (
     hostname     => $hostname,
     dnsname      => $dnsnames,
     principal    => $principal,
-    postsave_cmd => $postsave_cmd,
+    postsave_cmd => $postsave_cmd_real,
     ca           => $certmonger_ca,
     wait         => true,
     require      => Class['::certmonger'],
diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp
index 4a47938..15b1fc3 100644
--- a/manifests/certmonger/rabbitmq.pp
+++ b/manifests/certmonger/rabbitmq.pp
@@ -31,6 +31,11 @@
 #   (Optional) The CA that certmonger will use to generate the certificates.
 #   Defaults to hiera('certmonger_ca', 'local').
 #
+# [*postsave_cmd*]
+#   (Optional) Specifies the command to execute after requesting a certificate.
+#   If nothing is given, it will default to: "systemctl restart ${service name}"
+#   Defaults to undef.
+#
 # [*principal*]
 #   (Optional) The service principal that is set for the service in kerberos.
 #   Defaults to undef
@@ -40,12 +45,13 @@ class tripleo::certmonger::rabbitmq (
   $service_certificate,
   $service_key,
   $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $postsave_cmd  = undef,
   $principal     = undef,
 ) {
   include ::certmonger
   include ::rabbitmq::params
 
-  $postsave_cmd  = "systemctl restart ${::rabbitmq::params::service_name}"
+  $postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::rabbitmq::params::service_name}")
   certmonger_certificate { 'rabbitmq' :
     ensure       => 'present',
     certfile     => $service_certificate,
@@ -53,7 +59,7 @@ class tripleo::certmonger::rabbitmq (
     hostname     => $hostname,
     dnsname      => $hostname,
     principal    => $principal,
-    postsave_cmd => $postsave_cmd,
+    postsave_cmd => $postsave_cmd_real,
     ca           => $certmonger_ca,
     wait         => true,
     require      => Class['::certmonger'],
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
index 2ac4b6e..c3dde96 100644
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -38,11 +38,21 @@
 #   it will create.
 #   Defaults to hiera('apache_certificate_specs', {}).
 #
+# [*apache_postsave_cmd*]
+#   (Optional) If set, it overrides the default way to restart apache when the
+#   certificate is renewed.
+#   Defaults to undef
+#
 # [*haproxy_certificates_specs*]
 #   (Optional) The specifications to give to certmonger for the certificate(s)
 #   it will create.
 #   Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}).
 #
+# [*haproxy_postsave_cmd*]
+#   (Optional) If set, it overrides the default way to restart haproxy when the
+#   certificate is renewed.
+#   Defaults to undef
+#
 # [*libvirt_certificates_specs*]
 #   (Optional) The specifications to give to certmonger for the certificate(s)
 #   it will create.
@@ -70,7 +80,9 @@
 #
 class tripleo::profile::base::certmonger_user (
   $apache_certificates_specs  = hiera('apache_certificates_specs', {}),
+  $apache_postsave_cmd        = undef,
   $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
+  $haproxy_postsave_cmd       = undef,
   $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
   $mongodb_certificate_specs  = hiera('mongodb_certificate_specs',{}),
   $mysql_certificate_specs    = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
@@ -94,7 +106,8 @@ class tripleo::profile::base::certmonger_user (
 
   unless empty($apache_certificates_specs) {
     include ::tripleo::certmonger::apache_dirs
-    ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs)
+    ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs,
+                      {'postsave_cmd' => $apache_postsave_cmd})
   }
   unless empty($libvirt_certificates_specs) {
     include ::tripleo::certmonger::libvirt_dirs
@@ -102,7 +115,8 @@ class tripleo::profile::base::certmonger_user (
   }
   unless empty($haproxy_certificates_specs) {
     include ::tripleo::certmonger::haproxy_dirs
-    ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
+    ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs,
+                      {'postsave_cmd' => $haproxy_postsave_cmd})
     # The haproxy fronends (or listen resources) depend on the certificate
     # existing and need to be refreshed if it changed.
     Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
-- 
cgit 1.2.3-korg