Enable encryption of pacemaker traffic by default

We already are setting a pre-shared key by default for the pacemaker cluster. This was done in order to communicate with TLS-PSK with pacemaker-remote clusters. This key is also useful for us to enable encrypted traffic for the regular cluster traffic, which we enable by default with this patch. Change-Id: I349b8bf79eeeaa4ddde1c17b7014603913f184cf
2017-07-31 11:22:22 +03:00 · 2017-07-31 11:22:22 +03:00 · c5dc851235
parent 01ae503525
commit c5dc851235
2 changed files with 24 additions and 2 deletions
--- a/manifests/profile/base/pacemaker.pp
+++ b/manifests/profile/base/pacemaker.pp
@ -63,6 +63,10 @@
 #   be set to 60s.
 #   Defaults to hiera('pacemaker_cluster_recheck_interval', undef)
 #
+# [*encryption*]
+#   (Optional) Whether or not to enable encryption of the pacemaker traffic
+#   Defaults to true
+#
 class tripleo::profile::base::pacemaker (
  $step                      = Integer(hiera('step')),
  $pcs_tries                 = hiera('pcs_tries', 20),
@ -74,6 +78,7 @@ class tripleo::profile::base::pacemaker (
  $remote_tries              = hiera('pacemaker_remote_tries', 5),
  $remote_try_sleep          = hiera('pacemaker_remote_try_sleep', 60),
  $cluster_recheck_interval  = hiera('pacemaker_cluster_recheck_interval', undef),
+  $encryption                = true,
 ) {

  if count($remote_short_node_names) != count($remote_node_ips) {
@ -98,9 +103,20 @@ class tripleo::profile::base::pacemaker (
    $pacemaker_cluster_members = downcase(regsubst($pacemaker_short_node_names, ',', ' ', 'G'))
    $corosync_ipv6 = str2bool(hiera('corosync_ipv6', false))
    if $corosync_ipv6 {
-      $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000), '--ipv6' => '' }
+      $cluster_setup_extras_pre = {
+        '--token' => hiera('corosync_token_timeout', 1000),
+        '--ipv6' => ''
+      }
    } else {
-      $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000) }
+      $cluster_setup_extras_pre = {
+        '--token' => hiera('corosync_token_timeout', 1000)
+      }
+    }
+
+    if $encryption {
+      $cluster_setup_extras = merge($cluster_setup_extras_pre, {'--encryption' => '1'})
+    } else {
+      $cluster_setup_extras = $cluster_setup_extras_pre
    }
    class { '::pacemaker':
      hacluster_pwd => hiera('hacluster_pwd'),
--- a/releasenotes/notes/Use-encryption-for-pacemaker-by-default-ca887dca02a21705.yaml
+++ b/releasenotes/notes/Use-encryption-for-pacemaker-by-default-ca887dca02a21705.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Encryption is used for pacemaker traffic by default. This is achieved by
+    using a pre shared key for all the pacemaker cluster nodes (same as the one
+    that was used for the pacemaker remote communication).