From ab310a65e359a569672fbb60bab5d1403714a303 Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Mon, 5 Nov 2018 16:40:03 +0100 Subject: [PATCH] Certificate changes should restart services Certificate changes or path changes in octavia::certificate should notify the octavia::service::begin anchor so that services are refreshed otherwise for example octavia-worker will not use a new certificate. Change-Id: Ie03cfedccc6a675976688a944b1ee91a0a9f55f1 --- manifests/certificates.pp | 24 ++++++++++++------- manifests/deps.pp | 3 +++ ...-service-certificate-b4000c445374129c.yaml | 6 +++++ spec/classes/octavia_certificates_spec.rb | 19 ++++++++++++--- 4 files changed, 41 insertions(+), 11 deletions(-) create mode 100644 releasenotes/notes/restart-service-certificate-b4000c445374129c.yaml diff --git a/manifests/certificates.pp b/manifests/certificates.pp index cf42be85..2caa3cae 100644 --- a/manifests/certificates.pp +++ b/manifests/certificates.pp @@ -113,7 +113,8 @@ class octavia::certificates ( ensure => directory, owner => $file_permission_owner, group => $file_permission_group, - mode => '0755' + mode => '0755', + tag => 'octavia-certificate', }) file { $ca_certificate: ensure => file, @@ -121,7 +122,8 @@ class octavia::certificates ( group => $file_permission_owner, owner => $file_permission_group, mode => '0755', - replace => true + replace => true, + tag => 'octavia-certificate', } } if $ca_private_key_data { @@ -132,7 +134,8 @@ class octavia::certificates ( ensure => directory, owner => $file_permission_owner, group => $file_permission_group, - mode => '0755' + mode => '0755', + tag => 'octavia-certificate', }) file { $ca_private_key: ensure => file, @@ -140,7 +143,8 @@ class octavia::certificates ( group => $file_permission_owner, owner => $file_permission_group, mode => '0755', - replace => true + replace => true, + tag => 'octavia-certificate', } } if $client_ca and $client_ca_data { @@ -148,7 +152,8 @@ class octavia::certificates ( ensure => directory, owner => $file_permission_owner, group => $file_permission_group, - mode => '0755' + mode => '0755', + tag => 'octavia-certificate', }) file { $client_ca: ensure => file, @@ -156,7 +161,8 @@ class octavia::certificates ( group => $file_permission_owner, owner => $file_permission_group, mode => '0755', - replace => true + replace => true, + tag => 'octavia-certificate', } } if $client_cert_data { @@ -167,7 +173,8 @@ class octavia::certificates ( ensure => directory, owner => $file_permission_owner, group => $file_permission_group, - mode => '0755' + mode => '0755', + tag => 'octavia-certificate', }) file { $client_cert: ensure => file, @@ -175,7 +182,8 @@ class octavia::certificates ( group => $file_permission_owner, owner => $file_permission_group, mode => '0755', - replace => true + replace => true, + tag => 'octavia-certificate', } } } diff --git a/manifests/deps.pp b/manifests/deps.pp index 9ddc31f8..41c42aa3 100644 --- a/manifests/deps.pp +++ b/manifests/deps.pp @@ -36,4 +36,7 @@ class octavia::deps { # Installation or config changes will always restart services. Anchor['octavia::install::end'] ~> Anchor['octavia::service::begin'] Anchor['octavia::config::end'] ~> Anchor['octavia::service::begin'] + + # Changes in certificate or folders will restart services. + File<| tag == 'octavia-certificate' |> ~> Anchor['octavia::service::begin'] } diff --git a/releasenotes/notes/restart-service-certificate-b4000c445374129c.yaml b/releasenotes/notes/restart-service-certificate-b4000c445374129c.yaml new file mode 100644 index 00000000..cba9dcb5 --- /dev/null +++ b/releasenotes/notes/restart-service-certificate-b4000c445374129c.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + When certificate data or file paths change in octavia::certificates it will + not cause a restart of the Octavia services so that for example the + octavia-worker service can use the new certificates. diff --git a/spec/classes/octavia_certificates_spec.rb b/spec/classes/octavia_certificates_spec.rb index 8a2c63b2..c1dd1937 100644 --- a/spec/classes/octavia_certificates_spec.rb +++ b/spec/classes/octavia_certificates_spec.rb @@ -81,27 +81,40 @@ describe 'octavia::certificates' do 'owner' => 'octavia', 'group' => 'octavia', 'mode' => '0755', + 'tag' => 'octavia-certificate', + }) + is_expected.to contain_file('/etc/octavia/ca.pem').with({ + 'content' => 'on_my_authority_this_is_a_certificate', + 'tag' => 'octavia-certificate', }) - is_expected.to contain_file('/etc/octavia/ca.pem').with_content('on_my_authority_this_is_a_certificate') is_expected.to contain_file('/etc/octavia/key.pem').with({ 'ensure' => 'file', 'owner' => 'octavia', 'group' => 'octavia', 'mode' => '0755', + 'tag' => 'octavia-certificate', + }) + is_expected.to contain_file('/etc/octavia/key.pem').with({ + 'content' => 'this_is_my_private_key_woot_woot', + 'tag' => 'octavia-certificate', }) - is_expected.to contain_file('/etc/octavia/key.pem').with_content('this_is_my_private_key_woot_woot') is_expected.to contain_file('/etc/octavia/client.pem').with({ 'ensure' => 'file', 'owner' => 'octavia', 'group' => 'octavia', 'mode' => '0755', + 'tag' => 'octavia-certificate', + }) + is_expected.to contain_file('/etc/octavia/client.pem').with({ + 'content' => 'certainly_for_the_client', + 'tag' => 'octavia-certificate', }) - is_expected.to contain_file('/etc/octavia/client.pem').with_content('certainly_for_the_client') is_expected.to contain_file('/etc/octavia').with({ 'ensure' => 'directory', 'owner' => 'octavia', 'group' => 'octavia', 'mode' => '0755', + 'tag' => 'octavia-certificate', }) end end