openstack/puppet-tripleo
Code Issues Proposed changes

Enable encryption of pacemaker traffic by default

Browse Source 
We already are setting a pre-shared key by default for the pacemaker
cluster. This was done in order to communicate with TLS-PSK with
pacemaker-remote clusters. This key is also useful for us to enable
encrypted traffic for the regular cluster traffic, which we enable by
default with this patch.

Change-Id: I349b8bf79eeeaa4ddde1c17b7014603913f184cf
This commit is contained in:
Juan Antonio Osorio Robles 2017-07-31 11:22:22 +03:00
parent 01ae503525
commit c5dc851235
2 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
manifests/profile/base/pacemaker.pp
View File

@ -63,6 +63,10 @@
# be set to 60s. # be set to 60s.
# Defaults to hiera('pacemaker_cluster_recheck_interval', undef) # Defaults to hiera('pacemaker_cluster_recheck_interval', undef)
# #
# [*encryption*]
# (Optional) Whether or not to enable encryption of the pacemaker traffic
# Defaults to true
#
class tripleo::profile::base::pacemaker ( class tripleo::profile::base::pacemaker (
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$pcs_tries = hiera('pcs_tries', 20), $pcs_tries = hiera('pcs_tries', 20),
@ -74,6 +78,7 @@ class tripleo::profile::base::pacemaker (
$remote_tries = hiera('pacemaker_remote_tries', 5), $remote_tries = hiera('pacemaker_remote_tries', 5),
$remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60), $remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60),
$cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef), $cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef),
$encryption = true,
) { ) {
if count($remote_short_node_names) != count($remote_node_ips) { if count($remote_short_node_names) != count($remote_node_ips) {
@ -98,9 +103,20 @@ class tripleo::profile::base::pacemaker (
$pacemaker_cluster_members = downcase(regsubst($pacemaker_short_node_names, ',', ' ', 'G')) $pacemaker_cluster_members = downcase(regsubst($pacemaker_short_node_names, ',', ' ', 'G'))
$corosync_ipv6 = str2bool(hiera('corosync_ipv6', false)) $corosync_ipv6 = str2bool(hiera('corosync_ipv6', false))
if $corosync_ipv6 { if $corosync_ipv6 {
$cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000), '--ipv6' => '' } $cluster_setup_extras_pre = {
'--token' => hiera('corosync_token_timeout', 1000),
'--ipv6' => ''
}
} else { } else {
$cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000) } $cluster_setup_extras_pre = {
'--token' => hiera('corosync_token_timeout', 1000)
}
}
if $encryption {
$cluster_setup_extras = merge($cluster_setup_extras_pre, {'--encryption' => '1'})
} else {
$cluster_setup_extras = $cluster_setup_extras_pre
} }
class { '::pacemaker': class { '::pacemaker':
hacluster_pwd => hiera('hacluster_pwd'), hacluster_pwd => hiera('hacluster_pwd'),

6
releasenotes/notes/Use-encryption-for-pacemaker-by-default-ca887dca02a21705.yaml Normal file
View File

@ -0,0 +1,6 @@
---
features:
- |
Encryption is used for pacemaker traffic by default. This is achieved by
using a pre shared key for all the pacemaker cluster nodes (same as the one
that was used for the pacemaker remote communication).