From 9949a8efeb0723b65d2a16160cfc70c14d6638a5 Mon Sep 17 00:00:00 2001 From: Alan Bishop Date: Fri, 8 Jan 2021 11:43:16 -0800 Subject: [PATCH] Turn off the etcd TLS workaround used with novajoin [1] introduced a workaround that was required when TLS-everywhere was implemented with novajoin. The workaround is no longer required because novajoin is deprecated in favor of the tripleo-ipa ansible module. The workaround is disabled by changing the EnableEtcdInternalTLS parameter's default value changes from False to True. [1] Iec0d02f8f51067098dd58beb4fe57a7fd5ab5651 Change-Id: Ic41738392fbbe9239b927e26c0b2ed3b7abe3a09 --- .../cinder/cinder-common-container-puppet.yaml | 2 +- .../cinder/cinder-volume-container-puppet.yaml | 2 +- deployment/etcd/etcd-container-puppet.yaml | 12 +++++++++++- ...ecate-etcd-tls-workaround-de5dd1fc19dae5b2.yaml | 14 ++++++++++++++ 4 files changed, 27 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/deprecate-etcd-tls-workaround-de5dd1fc19dae5b2.yaml diff --git a/deployment/cinder/cinder-common-container-puppet.yaml b/deployment/cinder/cinder-common-container-puppet.yaml index ddba11f8ed..d8fbcf75a7 100644 --- a/deployment/cinder/cinder-common-container-puppet.yaml +++ b/deployment/cinder/cinder-common-container-puppet.yaml @@ -72,7 +72,7 @@ parameters: for cinder's lock manager, even when the rest of the internal API network is using TLS. type: boolean - default: false + default: true CephConfigPath: type: string default: "/var/lib/tripleo-config/ceph" diff --git a/deployment/cinder/cinder-volume-container-puppet.yaml b/deployment/cinder/cinder-volume-container-puppet.yaml index 10de511d7c..0b64a97baa 100644 --- a/deployment/cinder/cinder-volume-container-puppet.yaml +++ b/deployment/cinder/cinder-volume-container-puppet.yaml @@ -175,7 +175,7 @@ parameters: for cinder's lock manager, even when the rest of the internal API network is using TLS. type: boolean - default: false + default: true CephConfigPath: type: string default: "/var/lib/tripleo-config/ceph" diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml index 513c0417b7..17fead3fd1 100644 --- a/deployment/etcd/etcd-container-puppet.yaml +++ b/deployment/etcd/etcd-container-puppet.yaml @@ -51,7 +51,7 @@ parameters: for cinder's lock manager, even when the rest of the internal API network is using TLS. type: boolean - default: false + default: true InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string @@ -72,6 +72,16 @@ parameters: description: Override the private key size used when creating the certificate for this service +parameter_groups: +- label: deprecated + description: | + The following parameters are deprecated and will be removed. They should not + be relied on for new deployments. If you have concerns regarding deprecated + parameters, please contact the TripleO development team on IRC or the + OpenStack mailing list. + parameters: + - EnableEtcdInternalTLS + conditions: internal_tls_enabled: and: diff --git a/releasenotes/notes/deprecate-etcd-tls-workaround-de5dd1fc19dae5b2.yaml b/releasenotes/notes/deprecate-etcd-tls-workaround-de5dd1fc19dae5b2.yaml new file mode 100644 index 0000000000..dc62ad3112 --- /dev/null +++ b/releasenotes/notes/deprecate-etcd-tls-workaround-de5dd1fc19dae5b2.yaml @@ -0,0 +1,14 @@ +--- +upgrade: + - | + The `EnableEtcdInternalTLS` parameter's default value changes from false + to true. The change is related to the fact that novajoin is deprecated, + and the functionality associated with the `EnableEtcdInternalTLS` parameter + is not required when TLS is deployed using the tripleo-ansible ansible + module. +deprecations: + - | + The `EnableEtcdInternalTLS` parameter is deprecated. It was added to support + a workaround that is necessary when novajoin is used to deploy TLS, but + novajoin itself is deprecated. The workaround is not necessary when TLS + is deployed using the tripleo-ansible ansible module.