Turn off the etcd TLS workaround used with novajoin

[1] introduced a workaround that was required when TLS-everywhere was implemented with novajoin. The workaround is no longer required because novajoin is deprecated in favor of the tripleo-ipa ansible module. The workaround is disabled by changing the EnableEtcdInternalTLS parameter's default value changes from False to True. [1] Iec0d02f8f51067098dd58beb4fe57a7fd5ab5651 Change-Id: Ic41738392fbbe9239b927e26c0b2ed3b7abe3a09
2021-01-08 11:43:16 -08:00 · 2021-01-08 11:43:16 -08:00 · 9949a8efeb
commit 9949a8efeb
parent 9fd709019f
4 changed files with 27 additions and 3 deletions
--- a/deployment/cinder/cinder-common-container-puppet.yaml
+++ b/deployment/cinder/cinder-common-container-puppet.yaml
@ -72,7 +72,7 @@ parameters:
                 for cinder's lock manager, even when the rest of the internal
                 API network is using TLS.
    type: boolean
-    default: false
+    default: true
  CephConfigPath:
    type: string
    default: "/var/lib/tripleo-config/ceph"
--- a/deployment/cinder/cinder-volume-container-puppet.yaml
+++ b/deployment/cinder/cinder-volume-container-puppet.yaml
@ -175,7 +175,7 @@ parameters:
                 for cinder's lock manager, even when the rest of the internal
                 API network is using TLS.
    type: boolean
-    default: false
+    default: true
  CephConfigPath:
    type: string
    default: "/var/lib/tripleo-config/ceph"
--- a/deployment/etcd/etcd-container-puppet.yaml
+++ b/deployment/etcd/etcd-container-puppet.yaml
@ -51,7 +51,7 @@ parameters:
                 for cinder's lock manager, even when the rest of the internal
                 API network is using TLS.
    type: boolean
-    default: false
+    default: true
  InternalTLSCAFile:
    default: '/etc/ipa/ca.crt'
    type: string
@ -72,6 +72,16 @@ parameters:
    description: Override the private key size used when creating the
                 certificate for this service

+parameter_groups:
+- label: deprecated
+  description: |
+   The following parameters are deprecated and will be removed. They should not
+   be relied on for new deployments. If you have concerns regarding deprecated
+   parameters, please contact the TripleO development team on IRC or the
+   OpenStack mailing list.
+  parameters:
+  - EnableEtcdInternalTLS
+
 conditions:
  internal_tls_enabled:
    and:
--- a/releasenotes/notes/deprecate-etcd-tls-workaround-de5dd1fc19dae5b2.yaml
+++ b/releasenotes/notes/deprecate-etcd-tls-workaround-de5dd1fc19dae5b2.yaml
@ -0,0 +1,14 @@
+---
+upgrade:
+  - |
+    The `EnableEtcdInternalTLS` parameter's default value changes from false
+    to true. The change is related to the fact that novajoin is deprecated,
+    and the functionality associated with the `EnableEtcdInternalTLS` parameter
+    is not required when TLS is deployed using the tripleo-ansible ansible
+    module.
+deprecations:
+  - |
+    The `EnableEtcdInternalTLS` parameter is deprecated. It was added to support
+    a workaround that is necessary when novajoin is used to deploy TLS, but
+    novajoin itself is deprecated. The workaround is not necessary when TLS
+    is deployed using the tripleo-ansible ansible module.