)]}'
{"files/certmonger-haproxy-refresh.sh":[{"author":{"_account_id":8449,"name":"Marios Andreou","email":"marios.andreou@gmail.com","username":"marios"},"change_message_id":"9d5573dce9123c529f517817e92a462a43049f0d","unresolved":false,"context_lines":[{"line_number":4,"context_line":"# renewal. It\u0027ll concatenate the needed certificates for the PEM file that"},{"line_number":5,"context_line":"# HAProxy reads."},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"ACTION\u003d$1"},{"line_number":8,"context_line":"NETWORK\u003d$2"},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"certmonger_ca\u003d$(hiera -c /etc/puppet/hiera.yaml certmonger_ca)"},{"line_number":11,"context_line":"container_cli\u003d$(hiera -c /etc/puppet/hiera.yaml container_cli docker)"}],"source_content_type":"text/x-sh","patch_set":12,"id":"9fdfeff1_514b0358","line":8,"range":{"start_line":7,"start_character":4,"end_line":8,"end_character":5},"updated":"2019-01-25 08:06:56.000000000","message":"does it need some validation on the params (looks like they\u0027re coming from THT and from this script expected to be one of a few values like \"reload\" or \"restart\") - or even just on the number of params being passed here?","commit_id":"c33f339d38427e85fef230b024f16b3bbbd5daa8"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"eba120ba6892a0de3ebc7995dc1bf297f1784532","unresolved":false,"context_lines":[{"line_number":4,"context_line":"# renewal. It\u0027ll concatenate the needed certificates for the PEM file that"},{"line_number":5,"context_line":"# HAProxy reads."},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"ACTION\u003d$1"},{"line_number":8,"context_line":"NETWORK\u003d$2"},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"certmonger_ca\u003d$(hiera -c /etc/puppet/hiera.yaml certmonger_ca)"},{"line_number":11,"context_line":"container_cli\u003d$(hiera -c /etc/puppet/hiera.yaml container_cli docker)"}],"source_content_type":"text/x-sh","patch_set":12,"id":"9fdfeff1_953ab631","line":8,"range":{"start_line":7,"start_character":4,"end_line":8,"end_character":5},"in_reply_to":"9fdfeff1_514b0358","updated":"2019-01-25 09:39:13.000000000","message":"Done","commit_id":"c33f339d38427e85fef230b024f16b3bbbd5daa8"},{"author":{"_account_id":14985,"name":"Alex Schultz","email":"aschultz@next-development.com","username":"mwhahaha"},"change_message_id":"78bd5847d4dde1fab6b0c14ca297708daeb8b220","unresolved":false,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"cat \"$service_certificate\" \"$ca_path\" \"$service_key\" \u003e \"$service_pem\""},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"haproxy_container_name\u003d$($container_cli ps --format\u003d\"{{.Names}}\" | grep haproxy)"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"if [ \"$ACTION\" \u003d\u003d \"reload\" ]; then"},{"line_number":39,"context_line":"    # Copy the new cert from the mount-point to the real path"}],"source_content_type":"text/x-sh","patch_set":14,"id":"9fdfeff1_17a22a4c","line":36,"range":{"start_line":36,"start_character":0,"end_line":36,"end_character":22},"updated":"2019-01-28 15:23:01.000000000","message":"We probably should add some logic here to ensure this is actually running/exists before using it and throw an explicit error.  We can follow up with that though. Better to be safe than sorry","commit_id":"bd9846062c22be898d8720d1ee4ffbb65808fc8f"},{"author":{"_account_id":14985,"name":"Alex Schultz","email":"aschultz@next-development.com","username":"mwhahaha"},"change_message_id":"15be36050180a91643f3330af8dd3468864974e2","unresolved":false,"context_lines":[{"line_number":37,"context_line":""},{"line_number":38,"context_line":"if [ \"$ACTION\" \u003d\u003d \"reload\" ]; then"},{"line_number":39,"context_line":"    # Copy the new cert from the mount-point to the real path"},{"line_number":40,"context_line":"    $container_cli exec \"$haproxy_container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_pem\" \"$service_pem\""},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"    # Set appropriate permissions"},{"line_number":43,"context_line":"    $container_cli exec \"$haproxy_container_name\" chown haproxy:haproxy \"$service_pem\""}],"source_content_type":"text/x-sh","patch_set":14,"id":"9fdfeff1_64d0c220","line":40,"updated":"2019-01-25 14:59:28.000000000","message":"Isn\u0027t this handled on container startup via the kolla_set_configs?","commit_id":"bd9846062c22be898d8720d1ee4ffbb65808fc8f"},{"author":{"_account_id":10873,"name":"Juan Antonio Osorio Robles","email":"jaosorior@redhat.com","username":"ejuaoso"},"change_message_id":"7c14078cbf009d3e87f635484a9dc581bd1dc820","unresolved":false,"context_lines":[{"line_number":37,"context_line":""},{"line_number":38,"context_line":"if [ \"$ACTION\" \u003d\u003d \"reload\" ]; then"},{"line_number":39,"context_line":"    # Copy the new cert from the mount-point to the real path"},{"line_number":40,"context_line":"    $container_cli exec \"$haproxy_container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_pem\" \"$service_pem\""},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"    # Set appropriate permissions"},{"line_number":43,"context_line":"    $container_cli exec \"$haproxy_container_name\" chown haproxy:haproxy \"$service_pem\""}],"source_content_type":"text/x-sh","patch_set":14,"id":"9fdfeff1_3c06381f","line":40,"in_reply_to":"9fdfeff1_01019105","updated":"2019-01-28 09:17:23.000000000","message":"Yeah, but that requires us to restart the HAProxy container. which would cause a service disruption. for the certs that are configured for internal TLS; we don\u0027t need to restart the container at all, all we need to do is copy the right certs in the right path (and give it the right permissions), and reload haproxy.","commit_id":"bd9846062c22be898d8720d1ee4ffbb65808fc8f"},{"author":{"_account_id":8449,"name":"Marios Andreou","email":"marios.andreou@gmail.com","username":"marios"},"change_message_id":"17d82a43322c109ead22cc560706da55e64a1dc9","unresolved":false,"context_lines":[{"line_number":37,"context_line":""},{"line_number":38,"context_line":"if [ \"$ACTION\" \u003d\u003d \"reload\" ]; then"},{"line_number":39,"context_line":"    # Copy the new cert from the mount-point to the real path"},{"line_number":40,"context_line":"    $container_cli exec \"$haproxy_container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_pem\" \"$service_pem\""},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"    # Set appropriate permissions"},{"line_number":43,"context_line":"    $container_cli exec \"$haproxy_container_name\" chown haproxy:haproxy \"$service_pem\""}],"source_content_type":"text/x-sh","patch_set":14,"id":"9fdfeff1_01019105","line":40,"in_reply_to":"9fdfeff1_64d0c220","updated":"2019-01-28 07:54:48.000000000","message":"sounds like theres a but though (its on the tht patch https://bugs.launchpad.net/tripleo/+bug/1811401 ) hence the need to explicitly do it like this. I think? jaosorior i am sure can give a more reasonable explanation!","commit_id":"bd9846062c22be898d8720d1ee4ffbb65808fc8f"},{"author":{"_account_id":10873,"name":"Juan Antonio Osorio Robles","email":"jaosorior@redhat.com","username":"ejuaoso"},"change_message_id":"7c14078cbf009d3e87f635484a9dc581bd1dc820","unresolved":false,"context_lines":[{"line_number":47,"context_line":"elif [ \"$ACTION\" \u003d\u003d \"restart\" ]; then"},{"line_number":48,"context_line":"    # Copying the certificate and permissions will be handled by kolla\u0027s start"},{"line_number":49,"context_line":"    # script."},{"line_number":50,"context_line":"    $container_cli restart \"$haproxy_container_name\""},{"line_number":51,"context_line":"fi"}],"source_content_type":"text/x-sh","patch_set":14,"id":"9fdfeff1_1c2a547e","line":50,"updated":"2019-01-28 09:17:23.000000000","message":"This case is for the public cert... which unfortunately was bind-mounted directly as a file on to the container. So changes to this file don\u0027t persist on the container unless you restart it.\n\nOne thing to note though, is that folks usually don\u0027t use certmonger to track their public certs (Instead they use certs that are signed by a known and public CA). This will might not even be used for the overcloud (only the undercloud).","commit_id":"bd9846062c22be898d8720d1ee4ffbb65808fc8f"}],"manifests/profile/base/certmonger_user.pp":[{"author":{"_account_id":10873,"name":"Juan Antonio Osorio Robles","email":"jaosorior@redhat.com","username":"ejuaoso"},"change_message_id":"d0003fc4f77f65c8b8aa73f437be79f99fa62431","unresolved":false,"context_lines":[{"line_number":52,"context_line":"#   it will create."},{"line_number":53,"context_line":"#   Defaults to hiera(\u0027tripleo::profile::base::haproxy::certificate_specs\u0027, {})."},{"line_number":54,"context_line":"#"},{"line_number":55,"context_line":"# [*haproxy_postsave_cmd*]"},{"line_number":56,"context_line":"#   (Optional) If set, it overrides the default way to restart haproxy when the"},{"line_number":57,"context_line":"#   certificate is renewed."},{"line_number":58,"context_line":"#   Defaults to undef"},{"line_number":59,"context_line":"#"},{"line_number":60,"context_line":"# [*libvirt_certificates_specs*]"},{"line_number":61,"context_line":"#   (Optional) The specifications to give to certmonger for the certificate(s)"}],"source_content_type":"text/x-puppet","patch_set":13,"id":"9fdfeff1_b55c9a7e","line":58,"range":{"start_line":55,"start_character":0,"end_line":58,"end_character":21},"updated":"2019-01-25 09:41:08.000000000","message":"lets remove this","commit_id":"6fcb8d7be6f4adeb57f66e828efeeb66d5adf824"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"6062a2bf3e4a6dffdf2ade19e8cf167eaab0afd0","unresolved":false,"context_lines":[{"line_number":52,"context_line":"#   it will create."},{"line_number":53,"context_line":"#   Defaults to hiera(\u0027tripleo::profile::base::haproxy::certificate_specs\u0027, {})."},{"line_number":54,"context_line":"#"},{"line_number":55,"context_line":"# [*haproxy_postsave_cmd*]"},{"line_number":56,"context_line":"#   (Optional) If set, it overrides the default way to restart haproxy when the"},{"line_number":57,"context_line":"#   certificate is renewed."},{"line_number":58,"context_line":"#   Defaults to undef"},{"line_number":59,"context_line":"#"},{"line_number":60,"context_line":"# [*libvirt_certificates_specs*]"},{"line_number":61,"context_line":"#   (Optional) The specifications to give to certmonger for the certificate(s)"}],"source_content_type":"text/x-puppet","patch_set":13,"id":"9fdfeff1_b5d1facf","line":58,"range":{"start_line":55,"start_character":0,"end_line":58,"end_character":21},"in_reply_to":"9fdfeff1_b55c9a7e","updated":"2019-01-25 09:42:42.000000000","message":"Done","commit_id":"6fcb8d7be6f4adeb57f66e828efeeb66d5adf824"}]}