reload HAProxy config in HA setups when certificate is updated

When updating a certificate for HAProxy, we only do a reload of the
configuration on non-HA setups. This means that if we try the same in
an HA setup, the cloud will still serve the old certificate and that
leads to several issues, such as serving a revoked or even a
compromised certificate for some time, or just SSL issues that the
certificate doesn't match. This enables a reload for HA cases too.

Change-Id: Ib8ca2fe91be345ef4324fc8265c45df8108add7a
Closes-Bug: #1629886

diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml
index e281ef5..49d8457 100644 (file)
--- a/puppet/extraconfig/tls/tls-cert-inject.yaml
+++ b/puppet/extraconfig/tls/tls-cert-inject.yaml
@@ -64,11 +64,9 @@ resources:
           | openssl md5 | cut -c 10- \
           > ${heat_outputs_path}.key_modulus
         # We need to reload haproxy in case the certificate changed because
-        # puppet doesn't know the contents of the cert file.  The pacemaker
-        # case is handled separately in a pacemaker-specific resource.
-        pacemaker_status=$(systemctl is-active pacemaker)
+        # puppet doesn't know the contents of the cert file.
         haproxy_status=$(systemctl is-active haproxy)
-        if [ "$pacemaker_status" != "active" -a "$haproxy_status" = "active"]; then
+        if [ "$haproxy_status" = "active" ]; then
             systemctl reload haproxy
         fi