Look at automating management of IGTF CAs and CRLs bundle

[gwarf]

Currently CAs and CRLs bundles have to be managed manually for HAproxy (cf. EGI-Federation/fedcloud-integration-documentation#28 and https://egi-federated-cloud-integration.readthedocs.io/en/latest/openstack.html#pre-requisites).
Ideally it should be automated using fetch-crl and yum hooks.

Automatic managing of CRLs bundle

Proposed solution by @dlgroep.

CRLs bundle should be updated after each fetch-crl passes. The postexec hook could be use with a script using cat and reloading HAproxy:

 #!/bin/sh
 cat "$5"/*.r0 > "$5"/igtf-crls-bundle.pem
 systemctl reload haproxy.service

Automatic managing of CAs bundle

Possible solutions

• Using a cron job with cat and reload (like every 6 hours) (proposed by @dlgroep)
• Using a yum-plugin-post-transaction-actions.noarch triggering on any change on one of the ca_* packages. (proposed by @msalle)

Moved from EGI-Federation/fedcloud-integration-documentation#30

[brucellino]

This can be solved elegantly with a Vault agent or consul-template. I know I'm doing some archaeology here, but since this is event-driven, I would imagine the trigger is also an event.