Fixes for etcd's certmonger cert and key generation:
- Do not chown the cert and key files generated on the host. In addition
to the fact that "etcd" is not a valid user|grep name on the host, an
ACL must be used to allow other services (such as cinder) to access
the files. That ACL will be handled at the THT layer.
- New $dnsnames parameter supports adding a list of subject alternative
name (SAN) to the cert.
- Remove obsolete default $postsave_cmd (see comment in the code), but
make it a parameter so it can be overridden if necessary.
The cinder-volume service uses etcd when cinder is configured for
active/active mode. When internal TLS is enabled, the backend_url must
include references to etcd's cert and key files.
Partial-Bug: #1869955
Change-Id: Ifa7452ec15b81f48d7e5fb1252f20b5af1dff95c
(cherry picked from commit 63111546cdc983c383e964f33618a78e7185fb81)
Reviewed: https:/ /review. opendev. org/724219 /git.openstack. org/cgit/ openstack/ puppet- tripleo/ commit/ ?id=a1da18aed63 cae60cd7efc6bad e8f17869e07377
Committed: https:/
Submitter: Zuul
Branch: stable/train
commit a1da18aed63cae6 0cd7efc6bade8f1 7869e07377
Author: Alan Bishop <email address hidden>
Date: Wed Apr 1 09:23:26 2020 -0700
Fix etcd's support for internal TLS
Fixes for etcd's certmonger cert and key generation:
- Do not chown the cert and key files generated on the host. In addition
to the fact that "etcd" is not a valid user|grep name on the host, an
ACL must be used to allow other services (such as cinder) to access
the files. That ACL will be handled at the THT layer.
- New $dnsnames parameter supports adding a list of subject alternative
name (SAN) to the cert.
- Remove obsolete default $postsave_cmd (see comment in the code), but
make it a parameter so it can be overridden if necessary.
The cinder-volume service uses etcd when cinder is configured for
active/active mode. When internal TLS is enabled, the backend_url must
include references to etcd's cert and key files.
Partial-Bug: #1869955 48d7e5fb1252f20 b5af1dff95c 383e964f33618a7 8e7185fb81)
Change-Id: Ifa7452ec15b81f
(cherry picked from commit 63111546cdc983c