Browse Source

Merge "Support TLS priorities for pacemaker" into stable/stein

tags/10.6.1
Zuul 1 month ago
parent
commit
5b10134014

+ 43
- 30
puppet/services/pacemaker.yaml View File

@@ -41,6 +41,10 @@ parameters:
41 41
     default: false
42 42
     description: Whether to enable fencing in Pacemaker or not.
43 43
     type: boolean
44
+  PacemakerTLSPriorities:
45
+    type: string
46
+    description: Pacemaker TLS Priorities
47
+    default: ''
44 48
   PacemakerRemoteAuthkey:
45 49
     type: string
46 50
     description: The authkey for the pacemaker remote service.
@@ -102,6 +106,9 @@ parameters:
102 106
     type: boolean
103 107
     default: true
104 108
 
109
+conditions:
110
+  pcmk_tls_priorities_empty: {equals: [{get_param: PacemakerTLSPriorities}, '']}
111
+
105 112
 outputs:
106 113
   role_data:
107 114
     description: Role data for the Pacemaker role.
@@ -109,36 +116,42 @@ outputs:
109 116
       service_name: pacemaker
110 117
       monitoring_subscription: {get_param: MonitoringSubscriptionPacemaker}
111 118
       config_settings:
112
-        pacemaker::corosync::cluster_name: 'tripleo_cluster'
113
-        pacemaker::corosync::manage_fw: false
114
-        pacemaker::resource_defaults::defaults:
115
-          resource-stickiness: { value: INFINITY }
116
-        corosync_token_timeout: 10000
117
-        pacemaker::corosync::settle_tries: {get_param: CorosyncSettleTries}
118
-        pacemaker::resource::bundle::deep_compare: true
119
-        pacemaker::resource::ip::deep_compare: true
120
-        pacemaker::resource::ocf::deep_compare: true
121
-        tripleo::pacemaker::firewall_rules:
122
-          '130 pacemaker tcp':
123
-            proto: 'tcp'
124
-            dport:
125
-              - 2224
126
-              - 3121
127
-              - 21064
128
-          '131 pacemaker udp':
129
-            proto: 'udp'
130
-            dport: 5405
131
-        corosync_ipv6: {get_param: CorosyncIPv6}
132
-        tripleo::fencing::config: {get_param: FencingConfig}
133
-        enable_fencing: {get_param: EnableFencing}
134
-        hacluster_pwd:
135
-          yaql:
136
-            expression: $.data.passwords.where($ != '').first()
137
-            data:
138
-              passwords:
139
-                - {get_param: PcsdPassword}
140
-                - {get_param: [DefaultPasswords, pcsd_password]}
141
-        tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey}
119
+        map_merge:
120
+        - pacemaker::corosync::cluster_name: 'tripleo_cluster'
121
+          pacemaker::corosync::manage_fw: false
122
+          pacemaker::resource_defaults::defaults:
123
+            resource-stickiness: { value: INFINITY }
124
+          corosync_token_timeout: 10000
125
+          pacemaker::corosync::settle_tries: {get_param: CorosyncSettleTries}
126
+          pacemaker::resource::bundle::deep_compare: true
127
+          pacemaker::resource::ip::deep_compare: true
128
+          pacemaker::resource::ocf::deep_compare: true
129
+          tripleo::pacemaker::firewall_rules:
130
+            '130 pacemaker tcp':
131
+              proto: 'tcp'
132
+              dport:
133
+                - 2224
134
+                - 3121
135
+                - 21064
136
+            '131 pacemaker udp':
137
+              proto: 'udp'
138
+              dport: 5405
139
+          corosync_ipv6: {get_param: CorosyncIPv6}
140
+          tripleo::fencing::config: {get_param: FencingConfig}
141
+          enable_fencing: {get_param: EnableFencing}
142
+          hacluster_pwd:
143
+            yaql:
144
+              expression: $.data.passwords.where($ != '').first()
145
+              data:
146
+                passwords:
147
+                  - {get_param: PcsdPassword}
148
+                  - {get_param: [DefaultPasswords, pcsd_password]}
149
+          tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey}
150
+        -
151
+          if:
152
+          - pcmk_tls_priorities_empty
153
+          - {}
154
+          - tripleo::pacemaker::tls_priorities: {get_param: PacemakerTLSPriorities}
142 155
       service_config_settings:
143 156
         fluentd:
144 157
           tripleo_fluentd_groups_pacemaker:

+ 7
- 0
releasenotes/notes/pcmktlspriorities-4315010185adf45a.yaml View File

@@ -0,0 +1,7 @@
1
+---
2
+features:
3
+  - |
4
+    Introduce a PacemakerTLSPriorities parameter (which will set the PCMK_tls_priorities
5
+    config option in /etc/sysconfig/pacemaker and the PCMK_tls_priorities variable
6
+    inside the bundle. This, when set, allows an operator to specify what kind of
7
+    GNUTLS ciphers are desired for the pacemaker control port.

Loading…
Cancel
Save