Support TLS priorities for pacemaker

Introduce a PacemakerTLSPriorities parameter (which will set the PCMK_tls_priorities config option in /etc/sysconfig/pacemaker and the PCMK_tls_priorities variable inside the bundle. This, when set, allows an operator to specify what kind of GNUTLS ciphers are desired for the pacemaker control port. Tested on both queens and stein. Via a deploy and a redeploy against existing cloud. Observed that: A) We got PCMK_tls_priorities inside /etc/sysconfig/pacemaker with the value that was passed in THT B) Containers had the following env variable set: "PCMK_tls_priorities=normal", Depends-On: I703b5a429f48063474aace85bc45d948f5c91435 Change-Id: I2a2ea8bfa4da35fa8721b14909b0968123379558
2019-07-10 22:26:11 +02:00 · 2019-07-10 22:26:11 +02:00 · feee059a43
commit feee059a43
parent 9119734f0a
2 changed files with 50 additions and 30 deletions
--- a/deployment/pacemaker/pacemaker-baremetal-puppet.yaml
+++ b/deployment/pacemaker/pacemaker-baremetal-puppet.yaml
@ -41,6 +41,10 @@ parameters:
    default: false
    description: Whether to enable fencing in Pacemaker or not.
    type: boolean
+  PacemakerTLSPriorities:
+    type: string
+    description: Pacemaker TLS Priorities
+    default: ''
  PacemakerRemoteAuthkey:
    type: string
    description: The authkey for the pacemaker remote service.
@ -102,6 +106,9 @@ parameters:
    type: boolean
    default: true

+conditions:
+  pcmk_tls_priorities_empty: {equals: [{get_param: PacemakerTLSPriorities}, '']}
+
 outputs:
  role_data:
    description: Role data for the Pacemaker role.
@ -109,7 +116,8 @@ outputs:
      service_name: pacemaker
      monitoring_subscription: {get_param: MonitoringSubscriptionPacemaker}
      config_settings:
-        pacemaker::corosync::cluster_name: 'tripleo_cluster'
+        map_merge:
+        - pacemaker::corosync::cluster_name: 'tripleo_cluster'
          pacemaker::corosync::manage_fw: false
          pacemaker::resource_defaults::defaults:
            resource-stickiness: { value: INFINITY }
@ -118,7 +126,7 @@ outputs:
          pacemaker::resource::bundle::deep_compare: true
          pacemaker::resource::ip::deep_compare: true
          pacemaker::resource::ocf::deep_compare: true
-        tripleo::pacemaker::firewall_rules:
+          tripleo.pacemaker.firewall_rules:
            '130 pacemaker tcp':
              proto: 'tcp'
              dport:
@ -139,6 +147,11 @@ outputs:
                  - {get_param: PcsdPassword}
                  - {get_param: [DefaultPasswords, pcsd_password]}
          tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey}
+        -
+          if:
+          - pcmk_tls_priorities_empty
+          - {}
+          - tripleo::pacemaker::tls_priorities: {get_param: PacemakerTLSPriorities}
      service_config_settings:
        fluentd:
          tripleo_fluentd_groups_pacemaker:
--- a/releasenotes/notes/pcmktlspriorities-4315010185adf45a.yaml
+++ b/releasenotes/notes/pcmktlspriorities-4315010185adf45a.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Introduce a PacemakerTLSPriorities parameter (which will set the PCMK_tls_priorities
+    config option in /etc/sysconfig/pacemaker and the PCMK_tls_priorities variable
+    inside the bundle. This, when set, allows an operator to specify what kind of
+    GNUTLS ciphers are desired for the pacemaker control port.