Manage Ganeti cluster domain secret in Puppet
The cluster domain secret, stored in /var/lib/ganeti/cluster-domain-secret
on all nodes of a Ganeti cluster, must be identical between all nodes involved in a cross-cluster migrations. Furthermore, the upstream documentation offers this recommendation:
It is recommended to assign the same domain secret to all clusters of the same security domain, so that instances can be easily moved between them.
The documentation suggests using gnt-cluster renew-crypto --cluster-domain-secret=/.../ganeti.cds
to install the new secret, but it seems like simply dropping the file content into place is sufficient. gnt-cluster verify
will only complain if the file not identical between nodes.