Code Review / apex-puppet-tripleo.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 01ae503)
Enable encryption of pacemaker traffic by default
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>
Mon, 31 Jul 2017 08:22:22 +0000 (11:22 +0300)
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>
Tue, 1 Aug 2017 05:39:33 +0000 (08:39 +0300)
We already are setting a pre-shared key by default for the pacemaker
cluster. This was done in order to communicate with TLS-PSK with
pacemaker-remote clusters. This key is also useful for us to enable
encrypted traffic for the regular cluster traffic, which we enable by
default with this patch.

Change-Id: I349b8bf79eeeaa4ddde1c17b7014603913f184cf

manifests/profile/base/pacemaker.pp patch | blob | history
releasenotes/notes/Use-encryption-for-pacemaker-by-default-ca887dca02a21705.yaml [new file with mode: 0644] patch | blob

diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp
index d468110..de7e069 100644 (file)
--- a/manifests/profile/base/pacemaker.pp
+++ b/manifests/profile/base/pacemaker.pp
@@ -63,6 +63,10 @@
 #   be set to 60s.
 #   Defaults to hiera('pacemaker_cluster_recheck_interval', undef)
 #
+# [*encryption*]
+#   (Optional) Whether or not to enable encryption of the pacemaker traffic
+#   Defaults to true
+#
 class tripleo::profile::base::pacemaker (
   $step                      = Integer(hiera('step')),
   $pcs_tries                 = hiera('pcs_tries', 20),
@@ -74,6 +78,7 @@ class tripleo::profile::base::pacemaker (
   $remote_tries              = hiera('pacemaker_remote_tries', 5),
   $remote_try_sleep          = hiera('pacemaker_remote_try_sleep', 60),
   $cluster_recheck_interval  = hiera('pacemaker_cluster_recheck_interval', undef),
+  $encryption                = true,
 ) {
 
   if count($remote_short_node_names) != count($remote_node_ips) {
@@ -98,9 +103,20 @@ class tripleo::profile::base::pacemaker (
     $pacemaker_cluster_members = downcase(regsubst($pacemaker_short_node_names, ',', ' ', 'G'))
     $corosync_ipv6 = str2bool(hiera('corosync_ipv6', false))
     if $corosync_ipv6 {
-      $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000), '--ipv6' => '' }
+      $cluster_setup_extras_pre = {
+        '--token' => hiera('corosync_token_timeout', 1000),
+        '--ipv6' => ''
+      }
+    } else {
+      $cluster_setup_extras_pre = {
+        '--token' => hiera('corosync_token_timeout', 1000)
+      }
+    }
+
+    if $encryption {
+      $cluster_setup_extras = merge($cluster_setup_extras_pre, {'--encryption' => '1'})
     } else {
-      $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000) }
+      $cluster_setup_extras = $cluster_setup_extras_pre
     }
     class { '::pacemaker':
       hacluster_pwd => hiera('hacluster_pwd'),
diff --git a/releasenotes/notes/Use-encryption-for-pacemaker-by-default-ca887dca02a21705.yaml b/releasenotes/notes/Use-encryption-for-pacemaker-by-default-ca887dca02a21705.yaml
new file mode 100644 (file)
index 0000000..65b0316
--- /dev/null
+++ b/releasenotes/notes/Use-encryption-for-pacemaker-by-default-ca887dca02a21705.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Encryption is used for pacemaker traffic by default. This is achieved by
+    using a pre shared key for all the pacemaker cluster nodes (same as the one
+    that was used for the pacemaker remote communication).