From 7b55ac38ecd2b7bfcdf43578511df54b20d775da Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Tue, 11 Dec 2018 11:25:18 +0100
Subject: [PATCH] Fix up ordering of remote authkeys and a couple of pcs
 commands

So when we landed https://review.openstack.org/#/c/569565/ we created
the remote authkey file with the following constraints:
  Exec["Create Cluster ${cluster_name}"] -> File['etc-pacemaker-authkey']
  File['etc-pacemaker-authkey'] -> Exec["Start Cluster ${cluster_name}"]

This was because pcs, at the time, would remove the authkey when calling
cluster setup. pcs has now been fixed to not remove this key anylonger
and so we actually want it create as one of the very first things. I.e.
even before pcsd starts.

That way we have the guarantee that pcs is aware of it and will not
remove it when destroying the cluster [1].

This will remove the error messages that were seen on the remotes for a
certain amount of time (until pacemaker decided to reread the authkey
from disk and retry the connection with the new credentials):
pacemaker_remoted[21460]:  notice: LRMD client connection established. 0x55d7f48bdad0 id: e662d8b9-c353-4e0e-9818-158812fedd34
pacemaker_remoted[21460]:   error: TLS handshake with Pacemaker Remote failed: Decryption has failed.

While we're at it we need to make every pcs auth command explicitely
require Service['pcsd']. Right now this works by pure accident, those
commands do fail if puppet decides to order them before pcsd is up and
running.

Closes-Bug: #1807906

[1] rhbz#1459503

Change-Id: I7164787205d2994e5949c29f756658d6392d7a4c
---
 manifests/corosync.pp | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/manifests/corosync.pp b/manifests/corosync.pp
index 472970af..370ed0be 100644
--- a/manifests/corosync.pp
+++ b/manifests/corosync.pp
@@ -148,6 +148,7 @@ class pacemaker::corosync(
       password => pw_hash($::pacemaker::hacluster_pwd, 'SHA-512', fqdn_rand_string(10)),
       groups   => 'haclient',
       require  => Class['::pacemaker::install'],
+      before   => Service['pcsd'],
       notify   => Exec['reauthenticate-across-all-nodes'],
     }
 
@@ -157,17 +158,17 @@ class pacemaker::corosync(
       timeout     => $settle_timeout,
       tries       => $settle_tries,
       try_sleep   => $settle_try_sleep,
+      require     => Service['pcsd'],
       tag         => 'pacemaker-auth',
     }
 
-    Service['pcsd'] ->
     exec { 'auth-successful-across-all-nodes':
       command     => "${::pacemaker::pcs_bin} cluster auth ${cluster_members} -u hacluster -p ${::pacemaker::hacluster_pwd}",
       refreshonly => true,
       timeout     => $settle_timeout,
       tries       => $settle_tries,
       try_sleep   => $settle_try_sleep,
-      require     => User['hacluster'],
+      require     => [Service['pcsd'], User['hacluster']],
       unless      => "${::pacemaker::pcs_bin} cluster auth ${cluster_members} -u hacluster -p ${::pacemaker::hacluster_pwd} | grep 'Already authorized'",
       tag         => 'pacemaker-auth',
     }
@@ -258,11 +259,7 @@ class pacemaker::corosync(
       mode    => '0640',
       content => $remote_authkey,
     }
-    Exec <| title == 'auth-successful-across-all-nodes' |> -> File['etc-pacemaker-authkey']
-    if $setup_cluster {
-      Exec["Create Cluster ${cluster_name}"] -> File['etc-pacemaker-authkey']
-      File['etc-pacemaker-authkey'] -> Exec["Start Cluster ${cluster_name}"]
-    }
+    File['etc-pacemaker-authkey'] -> Service['pcsd']
   }
 
   exec {'wait-for-settle':