Support TLS priorities for pacemaker

Introduce a PacemakerTLSPriorities parameter (which will set the
PCMK_tls_priorities config option in /etc/sysconfig/pacemaker and the
PCMK_tls_priorities variable inside the bundle. This, when set, allows
an operator to specify what kind of GNUTLS ciphers are desired for the
pacemaker control port.

Tested on both queens and stein. Via a deploy and a redeploy against
existing cloud. Observed that:
A) We got PCMK_tls_priorities inside /etc/sysconfig/pacemaker with the
value that was passed in THT
B) Containers had the following env variable set:
  "PCMK_tls_priorities=normal",

Depends-On: I703b5a429f48063474aace85bc45d948f5c91435
Change-Id: I2a2ea8bfa4da35fa8721b14909b0968123379558
This commit is contained in:
Michele Baldessari 2019-07-10 22:26:11 +02:00
parent 9119734f0a
commit feee059a43
2 changed files with 50 additions and 30 deletions

View File

@ -41,6 +41,10 @@ parameters:
default: false default: false
description: Whether to enable fencing in Pacemaker or not. description: Whether to enable fencing in Pacemaker or not.
type: boolean type: boolean
PacemakerTLSPriorities:
type: string
description: Pacemaker TLS Priorities
default: ''
PacemakerRemoteAuthkey: PacemakerRemoteAuthkey:
type: string type: string
description: The authkey for the pacemaker remote service. description: The authkey for the pacemaker remote service.
@ -102,6 +106,9 @@ parameters:
type: boolean type: boolean
default: true default: true
conditions:
pcmk_tls_priorities_empty: {equals: [{get_param: PacemakerTLSPriorities}, '']}
outputs: outputs:
role_data: role_data:
description: Role data for the Pacemaker role. description: Role data for the Pacemaker role.
@ -109,36 +116,42 @@ outputs:
service_name: pacemaker service_name: pacemaker
monitoring_subscription: {get_param: MonitoringSubscriptionPacemaker} monitoring_subscription: {get_param: MonitoringSubscriptionPacemaker}
config_settings: config_settings:
pacemaker::corosync::cluster_name: 'tripleo_cluster' map_merge:
pacemaker::corosync::manage_fw: false - pacemaker::corosync::cluster_name: 'tripleo_cluster'
pacemaker::resource_defaults::defaults: pacemaker::corosync::manage_fw: false
resource-stickiness: { value: INFINITY } pacemaker::resource_defaults::defaults:
corosync_token_timeout: 10000 resource-stickiness: { value: INFINITY }
pacemaker::corosync::settle_tries: {get_param: CorosyncSettleTries} corosync_token_timeout: 10000
pacemaker::resource::bundle::deep_compare: true pacemaker::corosync::settle_tries: {get_param: CorosyncSettleTries}
pacemaker::resource::ip::deep_compare: true pacemaker::resource::bundle::deep_compare: true
pacemaker::resource::ocf::deep_compare: true pacemaker::resource::ip::deep_compare: true
tripleo::pacemaker::firewall_rules: pacemaker::resource::ocf::deep_compare: true
'130 pacemaker tcp': tripleo.pacemaker.firewall_rules:
proto: 'tcp' '130 pacemaker tcp':
dport: proto: 'tcp'
- 2224 dport:
- 3121 - 2224
- 21064 - 3121
'131 pacemaker udp': - 21064
proto: 'udp' '131 pacemaker udp':
dport: 5405 proto: 'udp'
corosync_ipv6: {get_param: CorosyncIPv6} dport: 5405
tripleo::fencing::config: {get_param: FencingConfig} corosync_ipv6: {get_param: CorosyncIPv6}
enable_fencing: {get_param: EnableFencing} tripleo::fencing::config: {get_param: FencingConfig}
hacluster_pwd: enable_fencing: {get_param: EnableFencing}
yaql: hacluster_pwd:
expression: $.data.passwords.where($ != '').first() yaql:
data: expression: $.data.passwords.where($ != '').first()
passwords: data:
- {get_param: PcsdPassword} passwords:
- {get_param: [DefaultPasswords, pcsd_password]} - {get_param: PcsdPassword}
tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey} - {get_param: [DefaultPasswords, pcsd_password]}
tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey}
-
if:
- pcmk_tls_priorities_empty
- {}
- tripleo::pacemaker::tls_priorities: {get_param: PacemakerTLSPriorities}
service_config_settings: service_config_settings:
fluentd: fluentd:
tripleo_fluentd_groups_pacemaker: tripleo_fluentd_groups_pacemaker:

View File

@ -0,0 +1,7 @@
---
features:
- |
Introduce a PacemakerTLSPriorities parameter (which will set the PCMK_tls_priorities
config option in /etc/sysconfig/pacemaker and the PCMK_tls_priorities variable
inside the bundle. This, when set, allows an operator to specify what kind of
GNUTLS ciphers are desired for the pacemaker control port.