Fix up ordering of remote authkeys and a couple of pcs commands

So when we landed https://review.openstack.org/#/c/569565/ we created
the remote authkey file with the following constraints:
  Exec["Create Cluster ${cluster_name}"] -> File['etc-pacemaker-authkey']
  File['etc-pacemaker-authkey'] -> Exec["Start Cluster ${cluster_name}"]

This was because pcs, at the time, would remove the authkey when calling
cluster setup. pcs has now been fixed to not remove this key anylonger
and so we actually want it create as one of the very first things. I.e.
even before pcsd starts.

That way we have the guarantee that pcs is aware of it and will not
remove it when destroying the cluster [1].

This will remove the error messages that were seen on the remotes for a
certain amount of time (until pacemaker decided to reread the authkey
from disk and retry the connection with the new credentials):
pacemaker_remoted[21460]:  notice: LRMD client connection established. 0x55d7f48bdad0 id: e662d8b9-c353-4e0e-9818-158812fedd34
pacemaker_remoted[21460]:   error: TLS handshake with Pacemaker Remote failed: Decryption has failed.

While we're at it we need to make every pcs auth command explicitely
require Service['pcsd']. Right now this works by pure accident, those
commands do fail if puppet decides to order them before pcsd is up and
running.

Closes-Bug: #1807906

[1] rhbz#1459503

Change-Id: I7164787205d2994e5949c29f756658d6392d7a4c

manifests/corosync.pp

@@ -148,6 +148,7 @@ class pacemaker::corosync(
       password => pw_hash($::pacemaker::hacluster_pwd, 'SHA-512', fqdn_rand_string(10)),
       groups   => 'haclient',
       require  => Class['::pacemaker::install'],
+      before   => Service['pcsd'],
       notify   => Exec['reauthenticate-across-all-nodes'],
     }
 
@@ -157,17 +158,17 @@ class pacemaker::corosync(
       timeout     => $settle_timeout,
       tries       => $settle_tries,
       try_sleep   => $settle_try_sleep,
+      require     => Service['pcsd'],
       tag         => 'pacemaker-auth',
     }
 
-    Service['pcsd'] ->
     exec { 'auth-successful-across-all-nodes':
       command     => "${::pacemaker::pcs_bin} cluster auth ${cluster_members} -u hacluster -p ${::pacemaker::hacluster_pwd}",
       refreshonly => true,
       timeout     => $settle_timeout,
       tries       => $settle_tries,
       try_sleep   => $settle_try_sleep,
-      require     => User['hacluster'],
+      require     => [Service['pcsd'], User['hacluster']],
       unless      => "${::pacemaker::pcs_bin} cluster auth ${cluster_members} -u hacluster -p ${::pacemaker::hacluster_pwd} | grep 'Already authorized'",
       tag         => 'pacemaker-auth',
     }
@@ -258,11 +259,7 @@ class pacemaker::corosync(
       mode    => '0640',
       content => $remote_authkey,
     }
-    Exec <| title == 'auth-successful-across-all-nodes' |> -> File['etc-pacemaker-authkey']
-    if $setup_cluster {
-      Exec["Create Cluster ${cluster_name}"] -> File['etc-pacemaker-authkey']
-      File['etc-pacemaker-authkey'] -> Exec["Start Cluster ${cluster_name}"]
-    }
+    File['etc-pacemaker-authkey'] -> Service['pcsd']
   }
 
   exec {'wait-for-settle':