voxpupuli · optiz0r · Jun 29, 2022
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -597,12 +597,18 @@
         default => 'pcs host auth',
       }
 
+      # Check that all nodes have an authorization token
+      $auth_check_command = $quorum_members.map |$node| {
+        "grep '${node}' /var/lib/pcsd/tokens"
+      }.join(' && ')
+
       # Attempt to authorize all members. The command will return successfully
       # if they were already authenticated so it's safe to run every time this
       # is applied.
       # TODO - make it run only once
       exec { 'authorize_members':
         command => "${pcs_auth_command} ${node_string} ${auth_credential_string}",
+        unless  => $auth_check_command,
         path    => $exec_path,
         require => [
           Service['pcsd'],

diff --git a/spec/classes/corosync_spec.rb b/spec/classes/corosync_spec.rb
@@ -807,6 +807,7 @@
             it 'authorizes all nodes' do
               is_expected.to contain_exec('authorize_members').with(
                 command: "pcs #{auth_command} node1.test.org node2.test.org node3.test.org -u hacluster -p some-secret-sauce",
+                unless: "grep 'node1.test.org' /var/lib/pcsd/tokens && grep 'node2.test.org' /var/lib/pcsd/tokens && grep 'node3.test.org' /var/lib/pcsd/tokens",
                 path: '/sbin:/bin:/usr/sbin:/usr/bin',
                 require: [
                   'Service[pcsd]',