From 095d130f9dbadb698c2c349819e754a907455ee0 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Wed, 16 Aug 2017 09:26:42 +0300
Subject: Certmonger: Make postsave command configurable

We need to make it configurable since these commands don't apply for
containerized environments. This way we can restart containers or
disable restarting and rely on other means.

This stems from the issue that some services get accidentally started by
certmonger on containerized environments, which makes the container
initialization fail.

bp tls-via-certmonger-containers

Change-Id: I62ff89362cfcc80e6e62fad09110918c36802813
---
 manifests/profile/base/certmonger_user.pp | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

(limited to 'manifests/profile/base/certmonger_user.pp')

diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
index 2ac4b6e..c3dde96 100644
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -38,11 +38,21 @@
 #   it will create.
 #   Defaults to hiera('apache_certificate_specs', {}).
 #
+# [*apache_postsave_cmd*]
+#   (Optional) If set, it overrides the default way to restart apache when the
+#   certificate is renewed.
+#   Defaults to undef
+#
 # [*haproxy_certificates_specs*]
 #   (Optional) The specifications to give to certmonger for the certificate(s)
 #   it will create.
 #   Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}).
 #
+# [*haproxy_postsave_cmd*]
+#   (Optional) If set, it overrides the default way to restart haproxy when the
+#   certificate is renewed.
+#   Defaults to undef
+#
 # [*libvirt_certificates_specs*]
 #   (Optional) The specifications to give to certmonger for the certificate(s)
 #   it will create.
@@ -70,7 +80,9 @@
 #
 class tripleo::profile::base::certmonger_user (
   $apache_certificates_specs  = hiera('apache_certificates_specs', {}),
+  $apache_postsave_cmd        = undef,
   $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
+  $haproxy_postsave_cmd       = undef,
   $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
   $mongodb_certificate_specs  = hiera('mongodb_certificate_specs',{}),
   $mysql_certificate_specs    = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
@@ -94,7 +106,8 @@ class tripleo::profile::base::certmonger_user (
 
   unless empty($apache_certificates_specs) {
     include ::tripleo::certmonger::apache_dirs
-    ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs)
+    ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs,
+                      {'postsave_cmd' => $apache_postsave_cmd})
   }
   unless empty($libvirt_certificates_specs) {
     include ::tripleo::certmonger::libvirt_dirs
@@ -102,7 +115,8 @@ class tripleo::profile::base::certmonger_user (
   }
   unless empty($haproxy_certificates_specs) {
     include ::tripleo::certmonger::haproxy_dirs
-    ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
+    ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs,
+                      {'postsave_cmd' => $haproxy_postsave_cmd})
     # The haproxy fronends (or listen resources) depend on the certificate
     # existing and need to be refreshed if it changed.
     Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
-- 
cgit 1.2.3-korg