Support upcoming forcing of tls priorities

Via pacemaker's commit a4ef0bb141ceb9364465e016eb471cf1494f941a "Feature: remote: allow run-time configurable TLS priorities" It allows to set the desired GnuTLS cipher priorities in the PCMK_tls_priorities sysconfig environment file. See https://gnutls.org/manual/html_node/Priority-Strings.html for what values can be passed. Let's let an operator specify that string if needed. Tested with the other tripleo patches here: https://review.opendev.org/#/q/topic:pcmk_tls+(status:open+OR+status:merged) and correctly obtained: A) When set to 'test' /etc/sysconfig/pacemaker:PCMK_tls_priorities=test B) No setting at all when unset C) The correct env variable in some of the containers: [root@controller-0 ~]# docker inspect haproxy-bundle-docker-1 |grep -i tls_pr "PCMK_tls_priorities=test", Change-Id: I1971810f6a90f244ed5ced972a5fe7fde29dde86
2019-07-10 20:37:31 +02:00 · 2019-07-10 20:37:31 +02:00 · 685a1c8a95
parent 658f4ee6d9
commit 685a1c8a95
3 changed files with 29 additions and 0 deletions
--- a/manifests/corosync.pp
+++ b/manifests/corosync.pp
@ -71,6 +71,10 @@
 #   (optional) Enable pcsd debugging
 #   Defaults to false
 #
+# [*tls_priorities*]
+#   (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
+#   Defaults to undef
+#
 # === Dependencies
 #
 #  None
@ -112,6 +116,7 @@ class pacemaker::corosync(
  $settle_try_sleep        = '10',
  $setup_cluster           = true,
  $pcsd_debug              = false,
+  $tls_priorities          = undef,
 ) inherits pacemaker {
  include ::pacemaker::params
  if ! $cluster_members_rrp {
@ -163,6 +168,15 @@ class pacemaker::corosync(
      before  => Service['pcsd'],
      notify  => Service['pcsd'],
    }
+    if $tls_priorities != undef {
+      file_line { 'tls_priorities':
+        path    => $::pacemaker::pcmk_sysconfig,
+        line    => "PCMK_tls_priorities=${tls_priorities}",
+        match   => '^PCMK_tls_priorities=',
+        require => Class['::pacemaker::install'],
+        before  => Service['pcsd'],
+      }
+    }

    user { 'hacluster':
      password => pw_hash($::pacemaker::hacluster_pwd, 'SHA-512', fqdn_rand_string(10)),
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -34,6 +34,7 @@ class pacemaker::params {
    'redhat': {
      $pcs_bin = '/sbin/pcs'
      $pcsd_sysconfig = '/etc/sysconfig/pcsd'
+      $pcmk_sysconfig = '/etc/sysconfig/pacemaker'
      if $::operatingsystemrelease =~ /^6\..*$/ {
        $package_list = ['pacemaker','pcs','fence-agents','cman']
        # TODO in el6.6, $pcsd_mode should be true
--- a/manifests/remote.pp
+++ b/manifests/remote.pp
@ -36,6 +36,10 @@
 #   (optional) Enable pcsd debugging
 #   Defaults to false
 #
+# [*tls_priorities*]
+#   (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
+#   Defaults to undef
+#
 class pacemaker::remote (
  $remote_authkey,
  $use_pcsd        = false,
@ -43,6 +47,7 @@ class pacemaker::remote (
  $pcs_password    = undef,
  $manage_fw       = true,
  $pcsd_debug      = false,
+  $tls_priorities  = undef,
 ) {
  include ::pacemaker::params
  ensure_resource('package', $::pacemaker::params::pcmk_remote_package_list, {
@ -73,6 +78,15 @@ class pacemaker::remote (
      before  => Service['pcsd'],
      notify  => Service['pcsd'],
    }
+    if $tls_priorities != undef {
+      file_line { 'tls_priorities':
+        path    => $::pacemaker::pcmk_sysconfig,
+        line    => "PCMK_tls_priorities=${tls_priorities}",
+        match   => '^PCMK_tls_priorities=',
+        require => Class['::pacemaker::install'],
+        before  => Service['pcsd'],
+      }
+    }
    user { $pcs_user:
      password => pw_hash($pcs_password, 'SHA-512', fqdn_rand_string(10)),
      groups   => 'haclient',