Converge quorum member auth

The current code for authenticating to quorum members generates a change event for every puppet run due to the exec having not being `refreshonly` or having any conditionals. This cases the pcsd tokens file to be updated regularly as well. The proposed change splits up the authentication so that it's done once per quorum member, rather than doing them all in one go. It also adds a conditional check to see if any authentication token is already present in the pcsd tokens file, and skips the exec if so. This is convergent, but comes with two minor costs: - if quorum member hostnames overlap (e.g. `foo` and `foobar`), then the condition will match perhaps incorrectly and one hostname may not get added - If for any reason the authentication token becomes invalid, puppet will not correct it, and manual intervention will be required (in the form of a `pcs cluster auth` or `pcs host auth` command) A `pcs host deauth` command would be handled correctly, and puppet would do a corrective re-auth. Fixes #500
voxpupuli · Jun 29, 2022 · d934d1f · d934d1f
1 parent 5f48a6c
commit d934d1f
Showing 1 changed file with 13 additions and 13 deletions.
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -597,17 +597,17 @@
         default => 'pcs host auth',
       }
 
-      # Attempt to authorize all members. The command will return successfully
-      # if they were already authenticated so it's safe to run every time this
-      # is applied.
-      # TODO - make it run only once
-      exec { 'authorize_members':
-        command => "${pcs_auth_command} ${node_string} ${auth_credential_string}",
-        path    => $exec_path,
-        require => [
-          Service['pcsd'],
-          User['hacluster'],
-        ],
+      # Attempt to authorize each member
+      $quorum_members.each |$node| {
+        exec { "authorize_member_${node}":
+          command => "${pcs_auth_command} ${node} ${auth_credential_string}",
+          unless  => "grep '${node}' /var/lib/pcsd/tokens",
+          path    => $exec_path,
+          require => [
+            Service['pcsd'],
+            User['hacluster'],
+          ],
+        }
       }
     }
 
@@ -636,7 +636,7 @@
         command => "pcs cluster setup --force ${pcs_cluster_setup_namearg} ${cluster_name} ${node_string}",
         path    => $exec_path,
         onlyif  => 'test ! -f /etc/corosync/corosync.conf',
-        require => Exec['authorize_members'],
+        require => Exec[$quorum_members.map |$node| { "authorize_member_${node}" }],
       }
       # We need to do this so the temporary cluster doesn't delete our authkey
       if $enable_secauth {
@@ -655,7 +655,7 @@
         onlyif  => $qdevice_token_check,
         require => [
           Package[$package_quorum_device],
-          Exec['authorize_members'],
+          Exec[$quorum_members.map |$node| { "authorize_member_${node}" }],
           Exec['pcs_cluster_temporary'],
         ],
       }