Puppet Strings Reference & Corosync Crypto

README.md

@@ -64,6 +64,35 @@ class { 'corosync':
 }
 ```
 
+### Configure Corosync Secure Authentication
+
+By default the built-in Puppet CA will be used to perform this authentication,
+however, generating a dedicated key is a better approach.
+
+1. Generate a new key on a machine with Corosync installed and convert it to Base64.
+
+    ```bash
+    # Generate the key
+    corosync-keygen -k /tmp/authkey
+    ```
+2. Convert the key file to a Base64 string so it can be used in your manifest.
+
+    ```bash
+    # Convert it to a Base64 string
+    base64 -w 0 /tmp/authkey > /tmp/authkey_base64
+    ```
+3. Declare the corosync module using this string.
+
+    ```puppet
+    class { 'corosync':
+      enable_secauth => true,
+      authkey_source => 'string',
+      authkey        => 'MxjvpEztT3Mi+QagUO2cefhLDrP2BSFYKS3g1WXTUj2eCgGDPcSNf3uCKgzJKhoWTgJm2nYDHJv8KiFqMoW3ATuVr/9fLb/lgUVfoz0GnP10S7r77aqaIsERhJcGVQhcteHVlZl6zOo6VQz4ekH7VPmMlKJX0iQPuJTh9o6qhjg=',
+    }
+    ```
+
+If the authkey is included directly in config, consider storing the value in hiera and encrypting it via [hiera-eyaml](https://github.com/voxpupuli/hiera-eyaml).
+
 ### Configure votequorum
 
 *To enable Corosync 2 votequorum and define a nodelist
@@ -439,8 +468,7 @@ to function.
 ## Notes
 
 ### Upstream documentation
-
-We suggest you at least go read the [Clusters from Scratch](http://clusterlabs.org/doc/) document
+We suggest you at least go read the [Clusters from Scratch](http://clusterlabs.org/pacemaker/doc/) document
 from Cluster Labs.  It will help you out a lot when understanding how all the pieces
 fall together a point you in the right direction when Corosync/Pacemaker fails unexpectedly.
 
@@ -472,6 +500,10 @@ Special thanks to [Puppet, Inc](http://puppet.com) for initial development and
 [Vox Pupuli](https://voxpupuli.org) to provide a platform that allows us to
 continue the development of this module.
 
+## Development
+
+See the [contributing guide](./.github/CONTRIBUTING.md) for details. Additionally, some general guidelines on PR structure can be found [here](https://voxpupuli.org/docs/#reviewing-a-module-pr).
+
 ## Copyright and License
 
 Copyright © 2012-2014 [Puppet Inc](https://www.puppet.com/)

lib/puppet/provider/cs_commit/crm.rb

@@ -8,6 +8,10 @@
 end
 
 Puppet::Type.type(:cs_commit).provide(:crm, parent: PuppetX::Voxpupuli::Corosync::Provider::Crmsh) do
+  desc 'Specific provider for a rather specific type since I currently have no plan to
+        abstract corosync/pacemaker vs. keepalived. This provider flushes the CIB
+        generated by previous commands to cluster.'
+
   commands crm_shadow: 'crm_shadow'
   commands cibadmin: 'cibadmin'
   # Required for block_until_ready

lib/puppet/provider/cs_commit/pcs.rb

@@ -8,6 +8,10 @@
 end
 
 Puppet::Type.type(:cs_commit).provide(:pcs, parent: PuppetX::Voxpupuli::Corosync::Provider::Pcs) do
+  desc 'Specific provider for a rather specific type since I currently have no plan to
+        abstract corosync/pacemaker vs. keepalived. This provider flushes the CIB
+        generated by previous commands to cluster.'
+
   commands cibadmin: 'cibadmin'
   # Required for block_until_ready
   commands pcs: 'pcs'

lib/puppet/provider/cs_shadow/crm.rb

@@ -8,6 +8,10 @@
 end
 
 Puppet::Type.type(:cs_shadow).provide(:crm, parent: PuppetX::Voxpupuli::Corosync::Provider::Crmsh) do
+  desc 'Specific provider for a rather specific type since I currently have no plan to
+        abstract corosync/pacemaker vs. keepalived. This provider initializes a new CIB
+        to begin tracking cluster changes.'
+
   commands crm_shadow: 'crm_shadow'
   commands cibadmin: 'cibadmin'
   commands crm: 'crm'

lib/puppet/provider/cs_shadow/pcs.rb

@@ -8,6 +8,10 @@
 end
 
 Puppet::Type.type(:cs_shadow).provide(:pcs, parent: PuppetX::Voxpupuli::Corosync::Provider::Pcs) do
+  desc 'Specific provider for a rather specific type since I currently have no plan to
+        abstract corosync/pacemaker vs. keepalived. This provider initializes a new CIB
+        to begin tracking cluster changes.'
+
   commands cibadmin: 'cibadmin'
   # Required for block_until_ready
   commands pcs: 'pcs'

lib/puppet/type/cs_commit.rb

@@ -1,9 +1,14 @@
 Puppet::Type.newtype(:cs_commit) do
-  @doc = 'This type is an implementation detail. DO NOT use it directly'
+  @doc = 'Final commit statement which triggers the syncronous application of
+          all primitive changes which reference this CIB. Do not generate more
+          than one cs_commit referencing the same CIB for a given cluster!'
 
   feature :refreshable, 'The provider can execute the commit.', methods: [:commit]
 
   newparam(:cib) do
+    desc 'Name of the CIB to commit. This value defaults to the name of
+          the cs_commit resource.'
+
     def insync?(_is)
       true
     end
@@ -12,6 +17,7 @@ def insync?(_is)
   end
 
   newparam(:name) do
+    desc 'Name of the CIB to commit. See the cib parameter for more detail.'
     isnamevar
   end
 

lib/puppet/type/cs_shadow.rb

@@ -5,6 +5,7 @@
     value have also been applied."
 
   newparam(:cib) do
+    desc 'Name of the CIB to begin tracking changes against.'
     isnamevar
   end
 
@@ -15,6 +16,8 @@
   end
 
   newproperty(:epoch) do
+    desc 'Implementation detail. DO NOT SET DIRECTLY.'
+
     def sync
       provider.sync(@resource[:cib])
     end

manifests/init.pp

@@ -1,259 +1,237 @@
-# == Class: corosync
+# @summary Configures the Pacemaker+Corosync stack to provide high-availability.
 #
 # This class will set up corosync for use by the Puppet Enterprise console to
 # facilitate an active/standby configuration for high availability.  It is
 # assumed that this module has been initially ran on a Puppet master with the
 # capabilities of signing certificates to do the initial key generation.
 #
-# === Parameters
-#
-# [*enable_secauth*]
+# @param enable_secauth
 #   Controls corosync's ability to authenticate and encrypt multicast messages.
-#   Default: true
 #
-# [*authkey_source*]
+# @param secauth_parameter_mode
+#   Determines whether the crypto_hash and crypto_cipher parameters are
+#   specified. These flags were added in Corosync 2.x so operating systems using
+#   older 1.x packages must continue to use sec_auth instead.
+#
+# @param authkey_source
 #   Allows to use either a file or a string as a authkey.
-#   Default: 'file'
 #
-# [*authkey*]
+# @param authkey
 #   Specifies the path to the CA which is used to sign Corosync's certificate if
-#   authkey_source is 'file' or the actual authkey if 'string' is used instead.
-#   Default: '/etc/puppet/ssl/certs/ca.pem'
+#   authkey_source is 'file' or a base64 encoded version of the actual authkey
+#   if 'string' is used instead.
+#
+# @param crypto_hash
+#   Hashing algorithm used by corosync for intra-cluster communication. Valid
+#   values are none, md5, sha1, sha256, sha384, and sha512
+#
+# @param crypto_cipher
+#   Encryption cipher used by corosync for intra-cluster communication. Valid
+#   values are none, aes256, aes192, aes128, and 3des
 #
-# [*threads*]
+# @param threads
 #   How many threads you are going to let corosync use to encode and decode
 #   multicast messages.  If you turn off secauth then corosync will ignore
 #   threads.
-#   Default: undef
 #
-# [*bind_address*]
+# @param bind_address
 #   The ip address we are going to bind the corosync daemon too.
 #   Can be specified as an array to have multiple rings.
-#   Default: $::ipaddress
 #
-# [*port*]
+# @param port
 #   The UDP port that corosync will use to do its multicast communication. Be
 #   aware that corosync used this defined port plus minus one.
 #   Can be specified as an array to have multiple rings.
-#   Default: '5405'
 #
-# [*multicast_address*]
+# @param multicast_address [Optional[Stdlib::Compat::Ip_address]]
 #   An IP address that has been reserved for multicast traffic.  This is the
 #   default way that Corosync accomplishes communication across the cluster.
 #   Use 'broadcast' to have broadcast instead
 #   Can be specified as an array to have multiple rings (multicast only).
-#   Default: undef
 #
-# [*unicast_addresses*]
+# @param unicast_addresses
 #   An array of IP addresses that make up the cluster's members.  These are
 #   use if you are able to use multicast on your network and instead opt for
 #   the udpu transport.  You need a relatively recent version of Corosync to
 #   make this possible.
 #   You can also have an array of arrays to have multiple rings. In that case,
 #   each subarray matches a host IP addresses.
-#   Default: undef
 #
-# [*force_online*]
+# @param force_online
 #   Boolean parameter specifying whether to force nodes that have been put
 #   in standby back online.
-#   Default: false
 #
-# [*check_standby*]
+# @param check_standby
 #   Boolean parameter specifying whether puppet should return an error log
 #   message if a node is in standby. Useful for monitoring node state.
-#   Default: false
 #
-# [*log_timestamp*]
+# @param log_timestamp
 #   Boolean parameter specifying whether a timestamp should be placed on all
 #   log messages.
-#   Default: false
 #
-# [*log_file*]
+# @param log_file
 #   Boolean parameter specifying whether Corosync should produce debug
 #   output in a logfile.
-#   Default: true
 #
-# [*log_file_name*]
+# @param log_file_name
 #   Absolute path to the logfile Corosync should use when `$log_file` (see
 #   above) is true.
-#   Default: undef
 #
-# [*debug*]
+# @param debug
 #   Boolean parameter specifying whether Corosync should produce debug
 #   output in its logs.
-#   Default: false
 #
-# [*log_stderr*]
+# @param log_stderr
 #   Boolean parameter specifying whether Corosync should log errors to
 #   stderr.
-#   Default: true
 #
-# [*syslog_priority*]
+# @param syslog_priority
 #   String parameter specifying the minimal log level for Corosync syslog
 #   messages. Allowed values: debug|info|notice|warning|err|emerg.
-#   Default: 'info'.
 #
-# [*log_function_name*]
+# @param log_function_name
 #   Boolean parameter specifying whether Corosync should log called function
 #   names to.
-#   Default: false
 #
-# [*rrp_mode*]
+# @param rrp_mode
 #   Mode of redundant ring. May be none, active, or passive.
-#   Default: undef
 #
-# [*netmtu*]
+# @param netmtu
 #   This specifies the network maximum transmit unit.
-#   Default: undef
 #
-# [*ttl*]
+# @param ttl
 #   Time To Live.
-#   Default: undef
 #
-# [*vsftype*]
+# @param vsftype
 #   Virtual synchrony filter type.
-#   Default: undef
 #
-# [*package_corosync*]
+# @param package_corosync
 #   Define if package corosync should be managed.
-#   Default: true
 #
-# [*package_crmsh*]
+# @param package_crmsh
 #   Define if package crmsh should be managed.
 #   Default (Debian based): true
 #   Default (otherwise):    false
 #
-# [*package_pacemaker*]
+# @param package_pacemaker
 #   Define if package pacemaker should be managed.
-#   Default: true
 #
-# [*package_pcs*]
+# @param package_pcs
 #   Define if package pcs should be managed.
 #   Default (Red Hat based):  true
 #   Default (otherwise):      false
 #
-# [*packageopts_corosync*]
+# @param packageopts_corosync
 #   Additional install-options for the corosync package resource.
 #   Default (Debian Jessie):  ['-t', 'jessie-backports']
 #   Default (otherwise):      undef
 #
-# [*packageopts_crmsh*]
+# @param packageopts_crmsh
 #   Additional install-options for the crmsh package resource.
 #   Default (Debian Jessie):  ['-t', 'jessie-backports']
 #   Default (otherwise):      undef
 #
-# [*packageopts_pacemaker*]
+# @param packageopts_pacemaker
 #   Additional install-options for the pacemaker package resource.
 #   Default (Debian Jessie):  ['-t', 'jessie-backports']
 #   Default (otherwise):      undef
 #
-# [*packageopts_pcs*]
+# @param packageopts_pcs
 #   Additional install-options for the pcs package resource.
 #   Default (Debian Jessie):  ['-t', 'jessie-backports']
 #   Default (otherwise):      undef
 #
-# [*version_corosync*]
+# @param version_corosync
 #   Define what version of the corosync package should be installed.
 #   Default: 'present'
 #
-# [*version_crmsh*]
+# @param version_crmsh
 #   Define what version of the crmsh package should be installed.
 #   Default: 'present'
 #
-# [*version_pacemaker*]
+# @param version_pacemaker
 #   Define what version of the pacemaker package should be installed.
 #   Default: 'present'
 #
-# [*version_pcs*]
+# @param version_pcs
 #   Define what version of the pcs package should be installed.
 #   Default: 'present'
 #
-# [*set_votequorum*]
+# @param set_votequorum
 #   Set to true if corosync_votequorum should be used as quorum provider.
 #   Default (Red Hat based):    true
 #   Default (Ubuntu >= 14.04):  true
 #   Default (otherwise):        false
 #
-# [*votequorum_expected_votes*]
-#   Default: undef
+# @param votequorum_expected_votes
+#   Overrides the automatic calculation of expected votes which is normally
+#   derived from the number of nodes.
 #
-# [*quorum_members*]
+# @param quorum_members
 #   Array of quorum member hostname. This is required if set_votequorum
 #   is set to true.
 #   You can also have an array of arrays to have multiple rings. In that case,
 #   each subarray matches a member IP addresses.
-#   Default: ['localhost']
 #
-# [*quorum_members_ids*]
+# @param quorum_members_ids
 #   Array of quorum member IDs. Persistent IDs are required for the dynamic
 #   config of a corosync cluster and when_set_votequorum is set to true.
 #   Should be used only with the quorum_members parameter.
-#   Default: undef
 #
-# [*quorum_members_names*]
+# @param quorum_members_names
 #   Array of quorum member names. Persistent names are required when you
 #   define IP addresses in quorum_members.
-#   Default: undef
 #
-# [*token*]
+# @param token
 #   Time (in ms) to wait for a token
-#   Default: undef
 #
-# [*token_retransmits_before_loss_const*]
+# @param token_retransmits_before_loss_const
 #   How many token retransmits before forming a new configuration.
-#   Default: undef
 #
-# [*compatibility*]
-#   Default: undef
+# @param compatibility
+#   Older versions of corosync allowed a config-file directive to indicate
+#   backward compatibility. This sets that.
 #
-# [*enable_corosync_service*]
+# @param enable_corosync_service
 #   Whether the module should enable the corosync service.
-#   Default: true
 #
-# [*manage_corosync_service*]
+# @param manage_corosync_service
 #   Whether the module should try to manage the corosync service. If set to
 #   false, the service will need to be specified in the catalog elsewhere.
-#   Default: true
 #
-# [*enable_pacemaker_service*]
+# @param enable_pacemaker_service
 #   Whether the module should enable the pacemaker service.
-#   Default: true
 #
-# [*manage_pacemaker_service*]
+# @param manage_pacemaker_service
 #   Whether the module should try to manage the pacemaker service.
 #   Default (Red Hat based >= 7): true
 #   Default (Ubuntu >= 14.04):    true
 #   Default (otherwise):          false
 #
-# [*enable_pcsd_service*]
+# @param enable_pcsd_service
 #   Whether the module should enable the pcsd service.
-#   Default: true
 #
-# [*manage_pcsd_service*]
+# @param manage_pcsd_service
 #   Whether the module should try to manage the pcsd service in addition to the
 #   corosync service.
 #   pcsd service is the GUI and the remote configuration interface.
-#   Default: false
 #
-# [*cluster_name*]
+# @param cluster_name
 #   This specifies the name of cluster and it's used for automatic
 #   generating of multicast address.
-#   Default: undef
 #
-# [*join*]
+# @param join
 #   This timeout specifies in milliseconds how long to wait for join messages
 #   in the membership protocol.
-#   Default: undef
 #
-# [*consensus*]
+# @param consensus
 #   This timeout specifies in milliseconds how long to wait for consensus to be
 #   achieved before starting a new round of membership configuration.
 #   The minimum value for consensus must be 1.2 * token. This value will be
 #   automatically calculated at 1.2 * token if the user doesn't specify a
 #   consensus value.
-#   Default: undef
 #
-# [*clear_node_high_bit*]
+# @param clear_node_high_bit
 #   This configuration option is optional and is only relevant when no nodeid
 #   is specified. Some openais clients require a signed 32 bit nodeid that is
 #   greater than zero however by default openais uses all 32 bits of the IPv4
@@ -262,23 +240,21 @@
 #   32 bit integer.
 #   WARNING: The clusters behavior is undefined if this option is enabled on
 #   only a subset of the cluster (for example during a rolling upgrade).
-#   Default: undef
 #
-# [*max_messages*]
+# @param max_messages
 #   This constant specifies the maximum number of messages that may be sent by
 #   one processor on receipt of the token. The max_messages parameter is limited
 #   to 256000 / netmtu to prevent overflow of the kernel transmit buffers.
-#   Default: undef
 #
-# [*test_corosync_config*]
+# @param test_corosync_config
 #   Whether we should test new configuration files with `corosync -t`.
 #   (requires corosync 2.3.4)
 #   Default (Red Hat based >= 7): true
 #   Default (Ubuntu >= 16.04):    true
 #   Default (Debian >= 8):        true
 #   Default (otherwise):          false
 #
-# === Examples
+# @example Simple configuration without secauth
 #
 #  class { 'corosync':
 #    enable_secauth    => false,
@@ -296,8 +272,11 @@
 #
 class corosync(
   Boolean $enable_secauth                                            = $corosync::params::enable_secauth,
+  Enum['1.x','2.x'] $secauth_parameter_mode                          = $corosync::params::secauth_parameter_mode,
   Enum['file', 'string'] $authkey_source                             = $corosync::params::authkey_source,
-  Variant[Stdlib::Absolutepath,String[1]] $authkey                   = $corosync::params::authkey,
+  Variant[Stdlib::Absolutepath,Stdlib::Base64] $authkey              = $corosync::params::authkey,
+  Corosync::CryptoHash $crypto_hash                                  = 'sha1',
+  Corosync::CryptoCipher $crypto_cipher                              = 'aes256',
   Optional[Integer] $threads                                         = undef,
   Optional[Variant[Integer[0,65535], Array[Integer[0,65535]]]] $port = $corosync::params::port,
   Corosync::IpStringIp $bind_address                                 = $corosync::params::bind_address,
@@ -419,7 +398,7 @@
       'string': {
         file { '/etc/corosync/authkey':
           ensure  => file,
-          content => $authkey,
+          content => Binary($authkey, '%B'),
           mode    => '0400',
           owner   => 'root',
           group   => 'root',

manifests/params.pp

@@ -1,3 +1,4 @@
+# @summary Configures sane defaults based on the operating system.
 class corosync::params {
   $enable_secauth                      = true
   $authkey_source                      = 'file'
@@ -31,9 +32,11 @@
       if versioncmp($::operatingsystemrelease, '7') >= 0 {
         $manage_pacemaker_service = true
         $test_corosync_config = true
+        $secauth_parameter_mode = '2.x'
       } else {
         $manage_pacemaker_service = false
         $test_corosync_config = false
+        $secauth_parameter_mode = '1.x'
       }
       $package_install_options = undef
     }
@@ -46,6 +49,7 @@
           if versioncmp($::operatingsystemrelease, '14.04') >= 0 {
             $set_votequorum = true
             $manage_pacemaker_service = true
+            $secauth_parameter_mode = '2.x'
 
             if versioncmp($::operatingsystemrelease, '16.04') >= 0 {
               $test_corosync_config = true
@@ -63,6 +67,7 @@
             $set_votequorum = false
             $manage_pacemaker_service = false
             $test_corosync_config = false
+            $secauth_parameter_mode = '1.x'
           }
           $package_install_options = undef
         }
@@ -71,6 +76,7 @@
             $set_votequorum = true
             $manage_pacemaker_service = true
             $test_corosync_config = true
+            $secauth_parameter_mode = '2.x'
             if versioncmp($::operatingsystemrelease, '8') == 0 {
               $package_install_options = ['-t', 'jessie-backports']
             } else {
@@ -81,13 +87,15 @@
             $manage_pacemaker_service = false
             $package_install_options = undef
             $test_corosync_config = false
+            $secauth_parameter_mode = '1.x'
           }
         }
         default : {
           $set_votequorum = false
           $manage_pacemaker_service = false
           $package_install_options = undef
           $test_corosync_config = false
+          $secauth_parameter_mode = '1.x'
         }
       }
     }

manifests/reprobe.pp

@@ -1,17 +1,13 @@
-# == Class: corosync::reprobe
+# @summary Triggers re-probe for changes any of the native cs_* types.
 #
 # Include this class to reprobe the corosync cluster when there are changes in
 # any of the native cs_* types. Useful for multi-node provisioning when the
 # nodes are not always in a stable state after provisioning.
 #
-# === Examples
-#
-# Reprobe corosync after making cluster configuration changes:
+# @example Reprobe corosync after making cluster configuration changes
 #
 #   include corosync::reprobe
 #
-# === Copyright
-#
 # Copyright 2012 Puppet Labs, LLC.
 #
 class corosync::reprobe {

manifests/service.pp

@@ -1,22 +1,19 @@
-# == Define: corosync::service
+# @summary Declare services within /etc/corosync/service.d/ (Corosync 1.x)
 #
 # Models a Corosync service.  Corosync services are plugins that provide
 # functionality for monitoring cluster resources.  One of the most common
-# of these plugins being Pacemaker.
+# of these plugins being Pacemaker. This is for corosync 1.x!
 #
-# === Parameters
-#
-# [*namevar*]
+# @param name [String]
 #   The namevar in this type is the title you give it when you define a resource
 #   instance.  It is used for a handful of purposes; defining the name of the
 #   config file and the name defined inside the file itself.
 #
-# [*version*]
-#   Version of the protocol used by this service.
+# @param version
+#   Version of the protocol used by this service. This is currently unused.
 #
-# === Examples
 #
-# Provide some examples on how to use this type:
+# @example Simple configuration of a service with version '0'.
 #
 #   corosync::service { 'pacemaker':
 #     version => '0',
@@ -30,7 +27,9 @@
 #
 # Copyright 2012 Puppet Labs, LLC.
 #
-define corosync::service($version) {
+define corosync::service(
+  String[1] $version,
+) {
 
   file { "/etc/corosync/service.d/${name}":
     ensure  => file,

spec/classes/corosync_spec.rb

@@ -249,22 +249,6 @@
         end
       end
 
-      context 'without secauth' do
-        before do
-          params.merge!(
-            enable_secauth: false
-          )
-        end
-
-        it { is_expected.to compile.with_all_deps }
-
-        it 'configures secauth correctly' do
-          is_expected.to contain_file('/etc/corosync/corosync.conf').with_content(
-            %r{secauth:\s+off}
-          )
-        end
-      end
-
       context 'with one ring' do
         before do
           params.merge!(
@@ -330,11 +314,11 @@
       before do
         params.merge!(
           authkey_source: 'string',
-          authkey: 'mysecretkey'
+          authkey: 'bXlzZWNyZXRrZXkK' # 'mysecretkey' in base64
         )
       end
       it 'deploys authkey file' do
-        is_expected.to contain_file('/etc/corosync/authkey').with_content('mysecretkey')
+        is_expected.to contain_file('/etc/corosync/authkey').with_content('bXlzZWNyZXRrZXkK')
       end
     end
 
@@ -590,6 +574,44 @@
       )
     end
 
+    context 'without secauth' do
+      before do
+        params.merge!(
+          enable_secauth: false
+        )
+      end
+
+      it { is_expected.to compile.with_all_deps }
+
+      it 'disables secauth with corsync 2.x syntax' do
+        is_expected.to contain_file('/etc/corosync/corosync.conf').with_content(
+          %r{crypto_hash:\s+none}
+        )
+        is_expected.to contain_file('/etc/corosync/corosync.conf').with_content(
+          %r{crypto_cipher:\s+none}
+        )
+      end
+    end
+
+    context 'with secauth' do
+      before do
+        params.merge!(
+          enable_secauth: true
+        )
+      end
+
+      it { is_expected.to compile.with_all_deps }
+
+      it 'enables secauth with corsync 2.x syntax' do
+        is_expected.to contain_file('/etc/corosync/corosync.conf').with_content(
+          %r{crypto_hash:\s+sha1}
+        )
+        is_expected.to contain_file('/etc/corosync/corosync.conf').with_content(
+          %r{crypto_cipher:\s+aes256}
+        )
+      end
+    end
+
     it_configures 'corosync'
   end
 
@@ -607,6 +629,38 @@
 
       it_configures 'corosync'
 
+      context 'without secauth' do
+        before do
+          params.merge!(
+            enable_secauth: false
+          )
+        end
+
+        it { is_expected.to compile.with_all_deps }
+
+        it 'disables secauth with corsync 1.x syntax' do
+          is_expected.to contain_file('/etc/corosync/corosync.conf').with_content(
+            %r{secauth:\s+off}
+          )
+        end
+      end
+
+      context 'with secauth' do
+        before do
+          params.merge!(
+            enable_secauth: true
+          )
+        end
+
+        it { is_expected.to compile.with_all_deps }
+
+        it 'enables secauth with corsync 1.x syntax' do
+          is_expected.to contain_file('/etc/corosync/corosync.conf').with_content(
+            %r{secauth:\s+on}
+          )
+        end
+      end
+
       it 'does not manage the pacemaker service' do
         is_expected.not_to contain_service('pacemaker')
       end
@@ -629,6 +683,44 @@
         )
       end
 
+      context 'without secauth' do
+        before do
+          params.merge!(
+            enable_secauth: false
+          )
+        end
+
+        it { is_expected.to compile.with_all_deps }
+
+        it 'disables secauth with corsync 2.x syntax' do
+          is_expected.to contain_file('/etc/corosync/corosync.conf').with_content(
+            %r{crypto_hash:\s+none}
+          )
+          is_expected.to contain_file('/etc/corosync/corosync.conf').with_content(
+            %r{crypto_cipher:\s+none}
+          )
+        end
+      end
+
+      context 'with secauth' do
+        before do
+          params.merge!(
+            enable_secauth: true
+          )
+        end
+
+        it { is_expected.to compile.with_all_deps }
+
+        it 'enables secauth with corsync 2.x syntax' do
+          is_expected.to contain_file('/etc/corosync/corosync.conf').with_content(
+            %r{crypto_hash:\s+sha1}
+          )
+          is_expected.to contain_file('/etc/corosync/corosync.conf').with_content(
+            %r{crypto_cipher:\s+aes256}
+          )
+        end
+      end
+
       it 'validates the corosync configuration' do
         is_expected.to contain_file('/etc/corosync/corosync.conf').with_validate_cmd(
           '/usr/bin/env COROSYNC_MAIN_CONFIG_FILE=% /usr/sbin/corosync -t'

templates/corosync.conf.erb

@@ -37,7 +37,18 @@ totem {
 <% if @netmtu -%>
   netmtu:                              <%= @netmtu %>
 <% end -%>
+<% case @secauth_parameter_mode
+   when '1.x' -%>
   secauth:                             <%= @enable_secauth ? 'on' : 'off' %>
+<% when '2.x' -%>
+<% if @enable_secauth -%>
+  crypto_hash:                         <%= @crypto_hash %>
+  crypto_cipher:                       <%= @crypto_cipher %>
+<% else -%>
+  crypto_hash:                         none
+  crypto_cipher:                       none
+<% end -%>
+<% end -%>
 <% if @threads -%>
   threads:                             <%= @threads %>
 <% end -%>
@@ -131,7 +142,8 @@ nodelist {
     ring<%= ring %>_addr: <%= addr %>
 <% end -%>
 <% if @quorum_members_ids.nil? -%>
-    nodeid: <%= i+1 %>
+<%   next_i = i + 1 -%>
+    nodeid: <%= next_i %>
 <% else -%>
     nodeid: <%= [@quorum_members_ids].flatten[i] %>
 <% end -%>

types/cryptocipher.pp

@@ -0,0 +1,7 @@
+# @summary Defines the allowed cipher types for secure corosync communication
+type Corosync::CryptoCipher = Enum[
+  'aes256',
+  'aes192',
+  'aes128',
+  '3des',
+]

types/cryptohash.pp

@@ -0,0 +1,7 @@
+type Corosync::CryptoHash = Enum[
+  'md5',
+  'sha1',
+  'sha256',
+  'sha384',
+  'sha512',
+]