From 8b16911cc26ced10316fdd37a818fc1cb6fe5ece Mon Sep 17 00:00:00 2001
From: Damien Ciabrini <dciabrin@redhat.com>
Date: Mon, 30 Nov 2020 17:13:50 +0100
Subject: [PATCH] Revert rolling certificate updates for HA services

Currently galera and ovn require a coordinated restart across
the controller node when certmonger determines the certificate
for a node has expired and it needs to regenerate it.

But right now, when the tripleo certmonger puppet module is
called to assert to state of the certificates, it ends up
regenerating new certificate unconditionally. So the galera and
ovn get restarted on stack update, even when there is no need to.

To mitigate these unecessary restarts, disable the post-action
for now until we fix the behaviour of tripleo's certmonger puppet
module. This has the side effect that services won't get restarted
automatically if no stack update takes place until the certificate
expiration date is reached.

Related-Bug: #1906505

Change-Id: I17f1364932e43b8487515084e41b525e186888db
---
 deployment/database/mysql-pacemaker-puppet.yaml | 2 --
 deployment/ovn/ovn-dbs-pacemaker-puppet.yaml    | 2 --
 2 files changed, 4 deletions(-)

diff --git a/deployment/database/mysql-pacemaker-puppet.yaml b/deployment/database/mysql-pacemaker-puppet.yaml
index 1246488e36..e14ba73e7a 100644
--- a/deployment/database/mysql-pacemaker-puppet.yaml
+++ b/deployment/database/mysql-pacemaker-puppet.yaml
@@ -173,8 +173,6 @@ outputs:
             if:
             - internal_tls_enabled
             -
-              tripleo::certmonger::mysql::postsave_cmd:
-                /usr/bin/certmonger-ha-resource-refresh.sh mysql galera galera-bundle Master
               tripleo::profile::pacemaker::database::mysql_bundle::ca_file:
                 get_param: InternalTLSCAFile
             - {}
diff --git a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml
index 8527a1f965..381f94c1e8 100644
--- a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml
+++ b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml
@@ -170,8 +170,6 @@ outputs:
           - if:
             - internal_tls_enabled
             - generate_service_certificates: true
-              tripleo::certmonger::ovn_dbs::postsave_cmd:
-                /usr/bin/certmonger-ha-resource-refresh.sh ovn_dbs ovndb_servers ovn-dbs-bundle Slave Master
               tripleo::profile::pacemaker::ovn_dbs_bundle::ca_file:
                 get_param: InternalTLSCAFile
               tripleo::profile::base::neutron::agents::ovn::protocol: 'ssl'