DRBD: Add hmac parameter to support peer auth

DRBD has its own authentication mechanism between drbd nodes. To enable DRBD peer authentication, we need to specify the following two parameters. - cram-hmac : The HMAC algorithm to enable peer authentication - shared-secret: The shared secret used in peer authentication in drdb resource configuration to enable DRBD peer authentication. The parameter "secret" already exists in the current implementation. This change adds a new parameter "hmac" to specify cram-hmac. If this parameter is undefined, it will set "sha1" as the current value for compatibility. Story: 2011139 Task: 50254 Test Plan: PASS: Confirm hmac and secret has proper values in drbd resource config when hmac and secret parameters are configured PASS: Confirm drdb resource config has hmac default value and no secret when hmac and secret parameters are not configured. PASS: SX fresh install finishes successfully. PASS: SX upgrade finishes successfully. PASS: DX fresh install finishes successfully. PASS: DX upgrade finishes successfully. Change-Id: I2f9e6394cf7e89a33befcd6a84dbe36215be4d6d Signed-off-by: Luiz Felipe Kina <LuizFelipe.EiskeKina@windriver.com>
2023-12-15 14:21:02 -03:00 · 2023-12-15 14:21:02 -03:00 · 3d36309040
commit 3d36309040
parent 5bbbfb65c9
2 changed files with 56 additions and 0 deletions
--- a/config/puppet-modules/puppet-drbd-0.5.2/debian/patches/0014-Add-hmac-parameter.patch
+++ b/config/puppet-modules/puppet-drbd-0.5.2/debian/patches/0014-Add-hmac-parameter.patch
@ -0,0 +1,55 @@
 From 3dd573bc54234ef1ed7998b93a6b03f13deb56ee Mon Sep 17 00:00:00 2001
 From: Takamasa Takenaka <takamasa.takenaka@windriver.com>
 Date: Wed, 10 Jan 2024 14:20:02 -0300
 Subject: [PATCH] Add hmac parameter
 DRBD has its own authentication mechanism between drbd nodes.
 To enable DRBD peer authentication, we need to specify the
 following two parameters.
 - cram-hmac    : The HMAC algorithm to enable peer authentication
 - shared-secret: The shared secret used in peer authentication
 in drdb resource configuration to enable DRBD peer authentication.
 The parameter "secret" already exists in the current implementation.
 This change adds a new parameter "hmac" to specify cram-hmac.
 If this parameter is undefined, it will set "sha1" as
 the current value for compatibility.
 Signed-off-by: Takamasa Takenaka <takamasa.takenaka@windriver.com>
 ---
 manifests/resource.pp    | 1 +
 templates/header.res.erb | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)
 diff --git a/manifests/resource.pp b/manifests/resource.pp
 index ede961f..68159c8 100644
 --- a/manifests/resource.pp
 +++ b/manifests/resource.pp
@@ -61,6 +61,7 @@ define drbd::resource (
   $mkfs_opts      = '',
   $disk           = undef,
   $handlers       = false,
 +  $hmac           = undef,
 ) {
   include ::drbd
 diff --git a/templates/header.res.erb b/templates/header.res.erb
 index 2cf8e37..320f10b 100644
 --- a/templates/header.res.erb
 +++ b/templates/header.res.erb
@@ -44,7 +44,11 @@ module bitmap_parse() routine from truncating input at 64 bits. -%>
     after-sb-1pri discard-secondary;
     after-sb-2pri disconnect;
 -    cram-hmac-alg sha1;
 +<% if @hmac -%>
 +    cram-hmac-alg "<%= @hmac %>";
 +<% else -%>
 +    cram-hmac-alg "sha1";
 +<% end -%>
 <% if @secret -%>
     shared-secret "<%= @secret %>";
 <% end -%>
 -- 
 2.25.1
--- a/config/puppet-modules/puppet-drbd-0.5.2/debian/patches/series
+++ b/config/puppet-modules/puppet-drbd-0.5.2/debian/patches/series
@ -11,3 +11,4 @@
 0011-Fix-DRBD-cephmon-resize.patch
 0012-Convert-strings-to-Numeric-type-to-avoid-warnings.patch
 0013-Ensure-drbd-becomes-primary.patch
 0014-Add-hmac-parameter.patch