tripleo-heat-templates

History

Alan Bishop 2fc1290c10 Fix cinder and etcd running with internal TLS enabled The LP bug referenced below describes a number of issues when cinder tries to use etcd for its distributed lock manager with internal TLS enabled. This patch resolves issues related to generating and distributing etcd's cert and key files. - The etcd cert must contain a subject alternative name (SAN) for the etcd node's internal API IP address. This is necessary because etcd wants to use IP addresses (versus host names), and this requires the IP address be listed in the TLS certificate. - The cert and key files are generated on the host, and must be available to multiple services running in their respective containers. The cert and key files need to be bind mounted, and an ACL is required so the etcd and cinder services have permission to read the files. EnableEtcdInternalTLS, a workaround introduced in [1], still defaults to False. The default value can be switched to True after tripleo switches from using novajoin to the ansible tripleo-ipa role for registering nodes with the IdM service. [1] https://review.opendev.org/#/q/Iec0d02f8f51067098dd58beb4fe57a7fd5ab5651 Closes-Bug: #1869955 Depends-On: Ifa7452ec15b81f48d7e5fb1252f20b5af1dff95c Change-Id: I798d60818b214de9266226c8409b69525a951dd5	2020-04-30 10:35:19 -07:00
..
etcd-container-puppet.yaml	Fix cinder and etcd running with internal TLS enabled	2020-04-30 10:35:19 -07:00

Alan Bishop 2fc1290c10 Fix cinder and etcd running with internal TLS enabled

The LP bug referenced below describes a number of issues when
cinder tries to use etcd for its distributed lock manager with
internal TLS enabled. This patch resolves issues related to
generating and distributing etcd's cert and key files.

- The etcd cert must contain a subject alternative name (SAN) for the
  etcd node's internal API IP address. This is necessary because etcd
  wants to use IP addresses (versus host names), and this requires the
  IP address be listed in the TLS certificate.
- The cert and key files are generated on the host, and must be
  available to multiple services running in their respective containers.
  The cert and key files need to be bind mounted, and an ACL is
  required so the etcd and cinder services have permission to read the
  files.

EnableEtcdInternalTLS, a workaround introduced in [1], still defaults
to False. The default value can be switched to True after tripleo
switches from using novajoin to the ansible tripleo-ipa role for
registering nodes with the IdM service.

[1] https://review.opendev.org/#/q/Iec0d02f8f51067098dd58beb4fe57a7fd5ab5651

Closes-Bug: #1869955
Depends-On: Ifa7452ec15b81f48d7e5fb1252f20b5af1dff95c
Change-Id: I798d60818b214de9266226c8409b69525a951dd5

2020-04-30 10:35:19 -07:00

etcd-container-puppet.yaml

Fix cinder and etcd running with internal TLS enabled

2020-04-30 10:35:19 -07:00