Support TLS priorities for pacemaker
Introduce a PacemakerTLSPriorities parameter (which will set the PCMK_tls_priorities config option in /etc/sysconfig/pacemaker and the PCMK_tls_priorities variable inside the bundle. This, when set, allows an operator to specify what kind of GNUTLS ciphers are desired for the pacemaker control port. Tested on both queens and stein. Via a deploy and a redeploy against existing cloud. Observed that: A) We got PCMK_tls_priorities inside /etc/sysconfig/pacemaker with the value that was passed in THT B) Containers had the following env variable set: "PCMK_tls_priorities=normal", Depends-On: I703b5a429f48063474aace85bc45d948f5c91435 Change-Id: I2a2ea8bfa4da35fa8721b14909b0968123379558
This commit is contained in:
parent
9119734f0a
commit
feee059a43
@ -41,6 +41,10 @@ parameters:
|
|||||||
default: false
|
default: false
|
||||||
description: Whether to enable fencing in Pacemaker or not.
|
description: Whether to enable fencing in Pacemaker or not.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
PacemakerTLSPriorities:
|
||||||
|
type: string
|
||||||
|
description: Pacemaker TLS Priorities
|
||||||
|
default: ''
|
||||||
PacemakerRemoteAuthkey:
|
PacemakerRemoteAuthkey:
|
||||||
type: string
|
type: string
|
||||||
description: The authkey for the pacemaker remote service.
|
description: The authkey for the pacemaker remote service.
|
||||||
@ -102,6 +106,9 @@ parameters:
|
|||||||
type: boolean
|
type: boolean
|
||||||
default: true
|
default: true
|
||||||
|
|
||||||
|
conditions:
|
||||||
|
pcmk_tls_priorities_empty: {equals: [{get_param: PacemakerTLSPriorities}, '']}
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
role_data:
|
role_data:
|
||||||
description: Role data for the Pacemaker role.
|
description: Role data for the Pacemaker role.
|
||||||
@ -109,36 +116,42 @@ outputs:
|
|||||||
service_name: pacemaker
|
service_name: pacemaker
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionPacemaker}
|
monitoring_subscription: {get_param: MonitoringSubscriptionPacemaker}
|
||||||
config_settings:
|
config_settings:
|
||||||
pacemaker::corosync::cluster_name: 'tripleo_cluster'
|
map_merge:
|
||||||
pacemaker::corosync::manage_fw: false
|
- pacemaker::corosync::cluster_name: 'tripleo_cluster'
|
||||||
pacemaker::resource_defaults::defaults:
|
pacemaker::corosync::manage_fw: false
|
||||||
resource-stickiness: { value: INFINITY }
|
pacemaker::resource_defaults::defaults:
|
||||||
corosync_token_timeout: 10000
|
resource-stickiness: { value: INFINITY }
|
||||||
pacemaker::corosync::settle_tries: {get_param: CorosyncSettleTries}
|
corosync_token_timeout: 10000
|
||||||
pacemaker::resource::bundle::deep_compare: true
|
pacemaker::corosync::settle_tries: {get_param: CorosyncSettleTries}
|
||||||
pacemaker::resource::ip::deep_compare: true
|
pacemaker::resource::bundle::deep_compare: true
|
||||||
pacemaker::resource::ocf::deep_compare: true
|
pacemaker::resource::ip::deep_compare: true
|
||||||
tripleo::pacemaker::firewall_rules:
|
pacemaker::resource::ocf::deep_compare: true
|
||||||
'130 pacemaker tcp':
|
tripleo.pacemaker.firewall_rules:
|
||||||
proto: 'tcp'
|
'130 pacemaker tcp':
|
||||||
dport:
|
proto: 'tcp'
|
||||||
- 2224
|
dport:
|
||||||
- 3121
|
- 2224
|
||||||
- 21064
|
- 3121
|
||||||
'131 pacemaker udp':
|
- 21064
|
||||||
proto: 'udp'
|
'131 pacemaker udp':
|
||||||
dport: 5405
|
proto: 'udp'
|
||||||
corosync_ipv6: {get_param: CorosyncIPv6}
|
dport: 5405
|
||||||
tripleo::fencing::config: {get_param: FencingConfig}
|
corosync_ipv6: {get_param: CorosyncIPv6}
|
||||||
enable_fencing: {get_param: EnableFencing}
|
tripleo::fencing::config: {get_param: FencingConfig}
|
||||||
hacluster_pwd:
|
enable_fencing: {get_param: EnableFencing}
|
||||||
yaql:
|
hacluster_pwd:
|
||||||
expression: $.data.passwords.where($ != '').first()
|
yaql:
|
||||||
data:
|
expression: $.data.passwords.where($ != '').first()
|
||||||
passwords:
|
data:
|
||||||
- {get_param: PcsdPassword}
|
passwords:
|
||||||
- {get_param: [DefaultPasswords, pcsd_password]}
|
- {get_param: PcsdPassword}
|
||||||
tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey}
|
- {get_param: [DefaultPasswords, pcsd_password]}
|
||||||
|
tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey}
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- pcmk_tls_priorities_empty
|
||||||
|
- {}
|
||||||
|
- tripleo::pacemaker::tls_priorities: {get_param: PacemakerTLSPriorities}
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
fluentd:
|
fluentd:
|
||||||
tripleo_fluentd_groups_pacemaker:
|
tripleo_fluentd_groups_pacemaker:
|
||||||
|
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Introduce a PacemakerTLSPriorities parameter (which will set the PCMK_tls_priorities
|
||||||
|
config option in /etc/sysconfig/pacemaker and the PCMK_tls_priorities variable
|
||||||
|
inside the bundle. This, when set, allows an operator to specify what kind of
|
||||||
|
GNUTLS ciphers are desired for the pacemaker control port.
|
Loading…
Reference in New Issue
Block a user