Look at automating management of IGTF CAs and CRLs bundle - Githubissues

EGI-Federation / documentation

Sources to build EGI documentation site.

https://docs.egi.eu/

MIT License

13 stars 46 forks source link

Look at automating management of IGTF CAs and CRLs bundle #183

Open gwarf opened 3 years ago

gwarf commented 3 years ago

Currently CAs and CRLs bundles have to be managed manually for HAproxy (cf. https://github.com/EGI-Foundation/fedcloud-integration-documentation/issues/28 and https://egi-federated-cloud-integration.readthedocs.io/en/latest/openstack.html#pre-requisites). Ideally it should be automated using fetch-crl and yum hooks.

Automatic managing of CRLs bundle

Proposed solution by @dlgroep.

CRLs bundle should be updated after each fetch-crl passes. The postexec hook could be use with a script using cat and reloading HAproxy:

 #!/bin/sh
 cat "$5"/*.r0 > "$5"/igtf-crls-bundle.pem
 systemctl reload haproxy.service

Automatic managing of CAs bundle

Possible solutions

Using a cron job with cat and reload (like every 6 hours) (proposed by @dlgroep)
Using a yum-plugin-post-transaction-actions.noarch triggering on any change on one of the ca_* packages. (proposed by @msalle)

Moved from https://github.com/EGI-Foundation/fedcloud-integration-documentation/issues/30

brucellino commented 4 months ago

This can be solved elegantly with a Vault agent or consul-template. I know I'm doing some archaeology here, but since this is event-driven, I would imagine the trigger is also an event.