diff --git a/deployment/cinder/cinder-common-container-puppet.yaml b/deployment/cinder/cinder-common-container-puppet.yaml
index ddba11f8ed..d8fbcf75a7 100644
--- a/deployment/cinder/cinder-common-container-puppet.yaml
+++ b/deployment/cinder/cinder-common-container-puppet.yaml
@@ -72,7 +72,7 @@ parameters:
                  for cinder's lock manager, even when the rest of the internal
                  API network is using TLS.
     type: boolean
-    default: false
+    default: true
   CephConfigPath:
     type: string
     default: "/var/lib/tripleo-config/ceph"
diff --git a/deployment/cinder/cinder-volume-container-puppet.yaml b/deployment/cinder/cinder-volume-container-puppet.yaml
index 10de511d7c..0b64a97baa 100644
--- a/deployment/cinder/cinder-volume-container-puppet.yaml
+++ b/deployment/cinder/cinder-volume-container-puppet.yaml
@@ -175,7 +175,7 @@ parameters:
                  for cinder's lock manager, even when the rest of the internal
                  API network is using TLS.
     type: boolean
-    default: false
+    default: true
   CephConfigPath:
     type: string
     default: "/var/lib/tripleo-config/ceph"
diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml
index 513c0417b7..17fead3fd1 100644
--- a/deployment/etcd/etcd-container-puppet.yaml
+++ b/deployment/etcd/etcd-container-puppet.yaml
@@ -51,7 +51,7 @@ parameters:
                  for cinder's lock manager, even when the rest of the internal
                  API network is using TLS.
     type: boolean
-    default: false
+    default: true
   InternalTLSCAFile:
     default: '/etc/ipa/ca.crt'
     type: string
@@ -72,6 +72,16 @@ parameters:
     description: Override the private key size used when creating the
                  certificate for this service
 
+parameter_groups:
+- label: deprecated
+  description: |
+   The following parameters are deprecated and will be removed. They should not
+   be relied on for new deployments. If you have concerns regarding deprecated
+   parameters, please contact the TripleO development team on IRC or the
+   OpenStack mailing list.
+  parameters:
+  - EnableEtcdInternalTLS
+
 conditions:
   internal_tls_enabled:
     and:
diff --git a/releasenotes/notes/deprecate-etcd-tls-workaround-de5dd1fc19dae5b2.yaml b/releasenotes/notes/deprecate-etcd-tls-workaround-de5dd1fc19dae5b2.yaml
new file mode 100644
index 0000000000..dc62ad3112
--- /dev/null
+++ b/releasenotes/notes/deprecate-etcd-tls-workaround-de5dd1fc19dae5b2.yaml
@@ -0,0 +1,14 @@
+---
+upgrade:
+  - |
+    The `EnableEtcdInternalTLS` parameter's default value changes from false
+    to true. The change is related to the fact that novajoin is deprecated,
+    and the functionality associated with the `EnableEtcdInternalTLS` parameter
+    is not required when TLS is deployed using the tripleo-ansible ansible
+    module.
+deprecations:
+  - |
+    The `EnableEtcdInternalTLS` parameter is deprecated. It was added to support
+    a workaround that is necessary when novajoin is used to deploy TLS, but
+    novajoin itself is deprecated. The workaround is not necessary when TLS
+    is deployed using the tripleo-ansible ansible module.