From b74b6793d28beb67d63eb1eafa9ed36ed4e92335 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Mon, 3 Oct 2016 16:56:21 +0300 Subject: reload HAProxy config in HA setups when certificate is updated When updating a certificate for HAProxy, we only do a reload of the configuration on non-HA setups. This means that if we try the same in an HA setup, the cloud will still serve the old certificate and that leads to several issues, such as serving a revoked or even a compromised certificate for some time, or just SSL issues that the certificate doesn't match. This enables a reload for HA cases too. Change-Id: Ib8ca2fe91be345ef4324fc8265c45df8108add7a Closes-Bug: #1629886 --- puppet/extraconfig/tls/tls-cert-inject.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml index e281ef51..49d84574 100644 --- a/puppet/extraconfig/tls/tls-cert-inject.yaml +++ b/puppet/extraconfig/tls/tls-cert-inject.yaml @@ -64,11 +64,9 @@ resources: | openssl md5 | cut -c 10- \ > ${heat_outputs_path}.key_modulus # We need to reload haproxy in case the certificate changed because - # puppet doesn't know the contents of the cert file. The pacemaker - # case is handled separately in a pacemaker-specific resource. - pacemaker_status=$(systemctl is-active pacemaker) + # puppet doesn't know the contents of the cert file. haproxy_status=$(systemctl is-active haproxy) - if [ "$pacemaker_status" != "active" -a "$haproxy_status" = "active"]; then + if [ "$haproxy_status" = "active" ]; then systemctl reload haproxy fi -- cgit 1.2.3-korg