Fix double cert mount in haproxy bundle when using tls everywhere
When deploying with tls-everywhere the haproxy_init_bundle container
will bind mount /etc/ipa/ca.crt twice and starting with podman 1.{3,4}.x
this will break:
"stderr: Error: /etc/ipa/ca.crt: duplicate mount destination"
The TLS bind mounts are needed in haproxy_init_bundle (which is only
in charge of creating the pcmk resource) because puppet-haproxy uses
a validate command to check the config which will fail if we simply
remove those bind mounts. Instead of skipping this verification with
some parameter/tag, we try and avoid the duplicate cert by removing the
ca.crt bind mount from deployed_cert_mounts.
Reviewed: https:/ /review. opendev. org/688055 /git.openstack. org/cgit/ openstack/ tripleo- heat-templates/ commit/ ?id=7e303fdbbb5 80db2769375c310 88f4ba583bc00e
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 7e303fdbbb580db 2769375c31088f4 ba583bc00e
Author: Michele Baldessari <email address hidden>
Date: Thu Oct 3 15:04:47 2019 +0200
Fix double cert mount in haproxy bundle when using tls everywhere
When deploying with tls-everywhere the haproxy_init_bundle container
will bind mount /etc/ipa/ca.crt twice and starting with podman 1.{3,4}.x
this will break:
"stderr: Error: /etc/ipa/ca.crt: duplicate mount destination"
The TLS bind mounts are needed in haproxy_init_bundle (which is only cert_mounts.
in charge of creating the pcmk resource) because puppet-haproxy uses
a validate command to check the config which will fail if we simply
remove those bind mounts. Instead of skipping this verification with
some parameter/tag, we try and avoid the duplicate cert by removing the
ca.crt bind mount from deployed_
The duplication comes from: /github. com/openstack/ tripleo- heat-templates/ blob/master/ deployment/ containers- common. yaml#L122- L127 /github. com/openstack/ tripleo- heat-templates/ blob/master/ deployment/ haproxy/ haproxy- pacemaker- puppet. yaml#L263
1) https:/
2) https:/
Since changing it into 1) has large implication, we just avoid
redefining it in 2).
Tested with a full tls-everywhere deploy with the applied patch and the
error is not seen any longer.
(cherry picked from commit 668cc684fc93503 128c946dae9f331 b49437ec2c)
Change-Id: I6493fd090c808d a01d19cc12d1b83 71c67708904
Related-Bug: #1833347
Closes-Bug: #1846495