diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml
index a0e0ded515..1dcc202a1b 100644
--- a/deployment/etcd/etcd-container-puppet.yaml
+++ b/deployment/etcd/etcd-container-puppet.yaml
@@ -46,9 +46,18 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  EnableEtcdInternalTLS:
+    description: Controls whether etcd and the cinder-volume service use TLS
+                 for cinder's lock manager, even when the rest of the internal
+                 API network is using TLS.
+    type: boolean
+    default: false
 
 conditions:
-  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  internal_tls_enabled:
+    and:
+      - {equals: [{get_param: EnableInternalTLS}, true]}
+      - {equals: [{get_param: EnableEtcdInternalTLS}, true]}
 
 outputs:
   role_data:
@@ -103,7 +112,10 @@ outputs:
                   template: "etcd/%{hiera('fqdn_NETWORK')}"
                   params:
                     NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
-          - {}
+          -
+            # Ensure etcd and cinder-volume aren't configured to use TLS
+            tripleo::profile::base::etcd::enable_internal_tls: false
+            tripleo::profile::base::cinder::volume::enable_internal_tls: false
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: etcd