Support TLS priorities for pacemaker

Introduce a PacemakerTLSPriorities parameter (which will set the PCMK_tls_priorities config option in /etc/sysconfig/pacemaker and the PCMK_tls_priorities variable inside the bundle. This, when set, allows an operator to specify what kind of GNUTLS ciphers are desired for the pacemaker control port. Tested on both queens and stein. Via a deploy and a redeploy against existing cloud. Observed that: A) We got PCMK_tls_priorities inside /etc/sysconfig/pacemaker with the value that was passed in THT B) Containers had the following env variable set: "PCMK_tls_priorities=normal", NB: cherry-pick not 100% clean (tiny conflict due to I0b2ae95563f64a21ef673e1e60889424a03fbc42 enable stonith deep_compare being merged in the meantime). Also made sure that the firewall_rules are expressed with '.' and not with '::' (I6f67153e04aed191acb715fe8cfa976ee2e75878 is the change that happened later which explains the background) (cherry-picked from commit feee059a43) (cherry picked from commit 62f6287a8f) Depends-On: I703b5a429f48063474aace85bc45d948f5c91435 Change-Id: I2a2ea8bfa4da35fa8721b14909b0968123379558 (cherry picked from commit 8a75427d69)
2019-08-15 08:10:57 +02:00 · 2019-08-15 08:10:57 +02:00 · 7879148793
parent 140532ee7a
commit 7879148793
2 changed files with 51 additions and 31 deletions
--- a/puppet/services/pacemaker.yaml
+++ b/puppet/services/pacemaker.yaml
@ -41,6 +41,10 @@ parameters:
    default: false
    description: Whether to enable fencing in Pacemaker or not.
    type: boolean
+  PacemakerTLSPriorities:
+    type: string
+    description: Pacemaker TLS Priorities
+    default: ''
  PacemakerRemoteAuthkey:
    type: string
    description: The authkey for the pacemaker remote service.
@ -102,6 +106,9 @@ parameters:
    description: Whether to deploy a LoadBalancer on the Controller
    type: boolean

+conditions:
+  pcmk_tls_priorities_empty: {equals: [{get_param: PacemakerTLSPriorities}, '']}
+
 outputs:
  role_data:
    description: Role data for the Pacemaker role.
@ -109,37 +116,43 @@ outputs:
      service_name: pacemaker
      monitoring_subscription: {get_param: MonitoringSubscriptionPacemaker}
      config_settings:
-        pacemaker::corosync::cluster_name: 'tripleo_cluster'
-        pacemaker::corosync::manage_fw: false
-        pacemaker::resource_defaults::defaults:
-          resource-stickiness: { value: INFINITY }
-        corosync_token_timeout: 10000
-        pacemaker::corosync::settle_tries: {get_param: CorosyncSettleTries}
-        pacemaker::resource::bundle::deep_compare: true
-        pacemaker::resource::ip::deep_compare: true
-        pacemaker::resource::ocf::deep_compare: true
-        tripleo.pacemaker.firewall_rules:
-          '130 pacemaker tcp':
-            proto: 'tcp'
-            dport:
-              - 2224
-              - 3121
-              - 21064
-          '131 pacemaker udp':
-            proto: 'udp'
-            dport: 5405
-        corosync_ipv6: {get_param: CorosyncIPv6}
-        tripleo::fencing::config: {get_param: FencingConfig}
-        tripleo::fencing::deep_compare: true
-        enable_fencing: {get_param: EnableFencing}
-        hacluster_pwd:
-          yaql:
-            expression: $.data.passwords.where($ != '').first()
-            data:
-              passwords:
-                - {get_param: PcsdPassword}
-                - {get_param: [DefaultPasswords, pcsd_password]}
-        tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey}
+        map_merge:
+        - pacemaker::corosync::cluster_name: 'tripleo_cluster'
+          pacemaker::corosync::manage_fw: false
+          pacemaker::resource_defaults::defaults:
+            resource-stickiness: { value: INFINITY }
+          corosync_token_timeout: 10000
+          pacemaker::corosync::settle_tries: {get_param: CorosyncSettleTries}
+          pacemaker::resource::bundle::deep_compare: true
+          pacemaker::resource::ip::deep_compare: true
+          pacemaker::resource::ocf::deep_compare: true
+          tripleo.pacemaker.firewall_rules:
+            '130 pacemaker tcp':
+              proto: 'tcp'
+              dport:
+                - 2224
+                - 3121
+                - 21064
+            '131 pacemaker udp':
+              proto: 'udp'
+              dport: 5405
+          corosync_ipv6: {get_param: CorosyncIPv6}
+          tripleo::fencing::config: {get_param: FencingConfig}
+          tripleo::fencing::deep_compare: true
+          enable_fencing: {get_param: EnableFencing}
+          hacluster_pwd:
+            yaql:
+              expression: $.data.passwords.where($ != '').first()
+              data:
+                passwords:
+                  - {get_param: PcsdPassword}
+                  - {get_param: [DefaultPasswords, pcsd_password]}
+          tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey}
+        -
+          if:
+          - pcmk_tls_priorities_empty
+          - {}
+          - tripleo::pacemaker::tls_priorities: {get_param: PacemakerTLSPriorities}
      service_config_settings:
        fluentd:
          tripleo_fluentd_groups_pacemaker:
--- a/releasenotes/notes/pcmktlspriorities-4315010185adf45a.yaml
+++ b/releasenotes/notes/pcmktlspriorities-4315010185adf45a.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Introduce a PacemakerTLSPriorities parameter (which will set the PCMK_tls_priorities
+    config option in /etc/sysconfig/pacemaker and the PCMK_tls_priorities variable
+    inside the bundle. This, when set, allows an operator to specify what kind of
+    GNUTLS ciphers are desired for the pacemaker control port.