openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Merge "Support TLS priorities for pacemaker" into stable/stein

This commit is contained in:
Zuul 2019-08-19 17:39:13 +00:00 committed by Gerrit Code Review
parent 4b9c3637f8 62f6287a8f
commit 5b10134014
2 changed files with 50 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
puppet/services/pacemaker.yaml
View File

@ -41,6 +41,10 @@ parameters:
default: false default: false
description: Whether to enable fencing in Pacemaker or not. description: Whether to enable fencing in Pacemaker or not.
type: boolean type: boolean
PacemakerTLSPriorities:
type: string
description: Pacemaker TLS Priorities
default: ''
PacemakerRemoteAuthkey: PacemakerRemoteAuthkey:
type: string type: string
description: The authkey for the pacemaker remote service. description: The authkey for the pacemaker remote service.
@ -102,6 +106,9 @@ parameters:
type: boolean type: boolean
default: true default: true
conditions:
pcmk_tls_priorities_empty: {equals: [{get_param: PacemakerTLSPriorities}, '']}
outputs: outputs:
role_data: role_data:
description: Role data for the Pacemaker role. description: Role data for the Pacemaker role.
@ -109,36 +116,42 @@ outputs:
service_name: pacemaker service_name: pacemaker
monitoring_subscription: {get_param: MonitoringSubscriptionPacemaker} monitoring_subscription: {get_param: MonitoringSubscriptionPacemaker}
config_settings: config_settings:
pacemaker::corosync::cluster_name: 'tripleo_cluster' map_merge:
pacemaker::corosync::manage_fw: false - pacemaker::corosync::cluster_name: 'tripleo_cluster'
pacemaker::resource_defaults::defaults: pacemaker::corosync::manage_fw: false
resource-stickiness: { value: INFINITY } pacemaker::resource_defaults::defaults:
corosync_token_timeout: 10000 resource-stickiness: { value: INFINITY }
pacemaker::corosync::settle_tries: {get_param: CorosyncSettleTries} corosync_token_timeout: 10000
pacemaker::resource::bundle::deep_compare: true pacemaker::corosync::settle_tries: {get_param: CorosyncSettleTries}
pacemaker::resource::ip::deep_compare: true pacemaker::resource::bundle::deep_compare: true
pacemaker::resource::ocf::deep_compare: true pacemaker::resource::ip::deep_compare: true
tripleo::pacemaker::firewall_rules: pacemaker::resource::ocf::deep_compare: true
'130 pacemaker tcp': tripleo::pacemaker::firewall_rules:
proto: 'tcp' '130 pacemaker tcp':
dport: proto: 'tcp'
- 2224 dport:
- 3121 - 2224
- 21064 - 3121
'131 pacemaker udp': - 21064
proto: 'udp' '131 pacemaker udp':
dport: 5405 proto: 'udp'
corosync_ipv6: {get_param: CorosyncIPv6} dport: 5405
tripleo::fencing::config: {get_param: FencingConfig} corosync_ipv6: {get_param: CorosyncIPv6}
enable_fencing: {get_param: EnableFencing} tripleo::fencing::config: {get_param: FencingConfig}
hacluster_pwd: enable_fencing: {get_param: EnableFencing}
yaql: hacluster_pwd:
expression: $.data.passwords.where($ != '').first() yaql:
data: expression: $.data.passwords.where($ != '').first()
passwords: data:
- {get_param: PcsdPassword} passwords:
- {get_param: [DefaultPasswords, pcsd_password]} - {get_param: PcsdPassword}
tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey} - {get_param: [DefaultPasswords, pcsd_password]}
tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey}
-
if:
- pcmk_tls_priorities_empty
- {}
- tripleo::pacemaker::tls_priorities: {get_param: PacemakerTLSPriorities}
service_config_settings: service_config_settings:
fluentd: fluentd:
tripleo_fluentd_groups_pacemaker: tripleo_fluentd_groups_pacemaker:

7
releasenotes/notes/pcmktlspriorities-4315010185adf45a.yaml Normal file
View File

@ -0,0 +1,7 @@
---
features:
- |
Introduce a PacemakerTLSPriorities parameter (which will set the PCMK_tls_priorities
config option in /etc/sysconfig/pacemaker and the PCMK_tls_priorities variable
inside the bundle. This, when set, allows an operator to specify what kind of
GNUTLS ciphers are desired for the pacemaker control port.