set a random password for keepalived

[simonfelding]

Description

set a random password for keepalived instead of having the same pre-shared key.
also switched to authentication headers instead of the password, as it is more secure that way.
set the folder permissions so you can't just read the password with OS access.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update
• Small minor change not affecting the Ansible Role code (GitHub Actions Workflow, Documentation etc.)

How Has This Been Tested?

[MonolithProjects]

This will cause that all keepalived nodes will have different password

[simonfelding]

Do you know if there is a way to cache the value or something so it's the same for all hosts? I guess it could be set as a fact first and then that fact could be used later?

[MonolithProjects]

Technically you could use local facts for storing it. But then you would need solve also things like to have this secret idempotent but still have an option to change it, use it also for new node joining the keepalived cluster... etc. The solution would have to be too much programmatic i guess... And Ansible is not an programming language :-) I think the value should be left up to user.

[MonolithProjects]

This should be configurable with PASS as the default. Also in case of AH, it would be good to have an additional option for auth_algo.

[simonfelding]

I'm no expert here, I just thought the AH algo was better than the PASS algo because the AH algo isn't as sniffable. Why would you want to use the PASS algo?

[MonolithProjects]

Because there are users which are already using this Ansible Role and by changing keepalived configuration the role may cause service interruption.