summaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-10-03 16:56:21 +0300
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-10-03 18:20:29 +0300
commitb74b6793d28beb67d63eb1eafa9ed36ed4e92335 (patch)
tree3a9a55639a47e341a25ce6443a772cd7097b2a7d /puppet
parent935fbd6febc7e58257a3d252354011b00cac1a97 (diff)
reload HAProxy config in HA setups when certificate is updated
When updating a certificate for HAProxy, we only do a reload of the configuration on non-HA setups. This means that if we try the same in an HA setup, the cloud will still serve the old certificate and that leads to several issues, such as serving a revoked or even a compromised certificate for some time, or just SSL issues that the certificate doesn't match. This enables a reload for HA cases too. Change-Id: Ib8ca2fe91be345ef4324fc8265c45df8108add7a Closes-Bug: #1629886
Diffstat (limited to 'puppet')
-rw-r--r--puppet/extraconfig/tls/tls-cert-inject.yaml6
1 files changed, 2 insertions, 4 deletions
diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml
index e281ef51..49d84574 100644
--- a/puppet/extraconfig/tls/tls-cert-inject.yaml
+++ b/puppet/extraconfig/tls/tls-cert-inject.yaml
@@ -64,11 +64,9 @@ resources:
| openssl md5 | cut -c 10- \
> ${heat_outputs_path}.key_modulus
# We need to reload haproxy in case the certificate changed because
- # puppet doesn't know the contents of the cert file. The pacemaker
- # case is handled separately in a pacemaker-specific resource.
- pacemaker_status=$(systemctl is-active pacemaker)
+ # puppet doesn't know the contents of the cert file.
haproxy_status=$(systemctl is-active haproxy)
- if [ "$pacemaker_status" != "active" -a "$haproxy_status" = "active"]; then
+ if [ "$haproxy_status" = "active" ]; then
systemctl reload haproxy
fi