Support TLS priorities for pacemaker
Introduce a PacemakerTLSPriorities parameter (which will set the PCMK_tls_priorities config option in /etc/sysconfig/pacemaker and the PCMK_tls_priorities variable inside the bundle. This, when set, allows an operator to specify what kind of GNUTLS ciphers are desired for the pacemaker control port. Tested on both queens and stein. Via a deploy and a redeploy against existing cloud. Observed that: A) We got PCMK_tls_priorities inside /etc/sysconfig/pacemaker with the value that was passed in THT B) Containers had the following env variable set: "PCMK_tls_priorities=normal", NB: cherry-pick not 100% clean (tiny conflict due to I0b2ae95563f64a21ef673e1e60889424a03fbc42 enable stonith deep_compare being merged in the meantime). Also made sure that the firewall_rules are expressed with '.' and not with '::' (I6f67153e04aed191acb715fe8cfa976ee2e75878 is the change that happened later which explains the background) (cherry-picked from commitfeee059a43
) (cherry picked from commit62f6287a8f
) Depends-On: I703b5a429f48063474aace85bc45d948f5c91435 Change-Id: I2a2ea8bfa4da35fa8721b14909b0968123379558 (cherry picked from commit8a75427d69
)
This commit is contained in:
parent
140532ee7a
commit
7879148793
|
@ -41,6 +41,10 @@ parameters:
|
|||
default: false
|
||||
description: Whether to enable fencing in Pacemaker or not.
|
||||
type: boolean
|
||||
PacemakerTLSPriorities:
|
||||
type: string
|
||||
description: Pacemaker TLS Priorities
|
||||
default: ''
|
||||
PacemakerRemoteAuthkey:
|
||||
type: string
|
||||
description: The authkey for the pacemaker remote service.
|
||||
|
@ -102,6 +106,9 @@ parameters:
|
|||
description: Whether to deploy a LoadBalancer on the Controller
|
||||
type: boolean
|
||||
|
||||
conditions:
|
||||
pcmk_tls_priorities_empty: {equals: [{get_param: PacemakerTLSPriorities}, '']}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the Pacemaker role.
|
||||
|
@ -109,37 +116,43 @@ outputs:
|
|||
service_name: pacemaker
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionPacemaker}
|
||||
config_settings:
|
||||
pacemaker::corosync::cluster_name: 'tripleo_cluster'
|
||||
pacemaker::corosync::manage_fw: false
|
||||
pacemaker::resource_defaults::defaults:
|
||||
resource-stickiness: { value: INFINITY }
|
||||
corosync_token_timeout: 10000
|
||||
pacemaker::corosync::settle_tries: {get_param: CorosyncSettleTries}
|
||||
pacemaker::resource::bundle::deep_compare: true
|
||||
pacemaker::resource::ip::deep_compare: true
|
||||
pacemaker::resource::ocf::deep_compare: true
|
||||
tripleo.pacemaker.firewall_rules:
|
||||
'130 pacemaker tcp':
|
||||
proto: 'tcp'
|
||||
dport:
|
||||
- 2224
|
||||
- 3121
|
||||
- 21064
|
||||
'131 pacemaker udp':
|
||||
proto: 'udp'
|
||||
dport: 5405
|
||||
corosync_ipv6: {get_param: CorosyncIPv6}
|
||||
tripleo::fencing::config: {get_param: FencingConfig}
|
||||
tripleo::fencing::deep_compare: true
|
||||
enable_fencing: {get_param: EnableFencing}
|
||||
hacluster_pwd:
|
||||
yaql:
|
||||
expression: $.data.passwords.where($ != '').first()
|
||||
data:
|
||||
passwords:
|
||||
- {get_param: PcsdPassword}
|
||||
- {get_param: [DefaultPasswords, pcsd_password]}
|
||||
tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey}
|
||||
map_merge:
|
||||
- pacemaker::corosync::cluster_name: 'tripleo_cluster'
|
||||
pacemaker::corosync::manage_fw: false
|
||||
pacemaker::resource_defaults::defaults:
|
||||
resource-stickiness: { value: INFINITY }
|
||||
corosync_token_timeout: 10000
|
||||
pacemaker::corosync::settle_tries: {get_param: CorosyncSettleTries}
|
||||
pacemaker::resource::bundle::deep_compare: true
|
||||
pacemaker::resource::ip::deep_compare: true
|
||||
pacemaker::resource::ocf::deep_compare: true
|
||||
tripleo.pacemaker.firewall_rules:
|
||||
'130 pacemaker tcp':
|
||||
proto: 'tcp'
|
||||
dport:
|
||||
- 2224
|
||||
- 3121
|
||||
- 21064
|
||||
'131 pacemaker udp':
|
||||
proto: 'udp'
|
||||
dport: 5405
|
||||
corosync_ipv6: {get_param: CorosyncIPv6}
|
||||
tripleo::fencing::config: {get_param: FencingConfig}
|
||||
tripleo::fencing::deep_compare: true
|
||||
enable_fencing: {get_param: EnableFencing}
|
||||
hacluster_pwd:
|
||||
yaql:
|
||||
expression: $.data.passwords.where($ != '').first()
|
||||
data:
|
||||
passwords:
|
||||
- {get_param: PcsdPassword}
|
||||
- {get_param: [DefaultPasswords, pcsd_password]}
|
||||
tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey}
|
||||
-
|
||||
if:
|
||||
- pcmk_tls_priorities_empty
|
||||
- {}
|
||||
- tripleo::pacemaker::tls_priorities: {get_param: PacemakerTLSPriorities}
|
||||
service_config_settings:
|
||||
fluentd:
|
||||
tripleo_fluentd_groups_pacemaker:
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
Introduce a PacemakerTLSPriorities parameter (which will set the PCMK_tls_priorities
|
||||
config option in /etc/sysconfig/pacemaker and the PCMK_tls_priorities variable
|
||||
inside the bundle. This, when set, allows an operator to specify what kind of
|
||||
GNUTLS ciphers are desired for the pacemaker control port.
|
Loading…
Reference in New Issue