tripleo

  1. Bug #1869955
  2. Comment #16

Comment 16 for bug 1869955

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/train)

Reviewed: https://review.opendev.org/724219
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=a1da18aed63cae60cd7efc6bade8f17869e07377
Submitter: Zuul
Branch: stable/train

commit a1da18aed63cae60cd7efc6bade8f17869e07377
Author: Alan Bishop <email address hidden>
Date: Wed Apr 1 09:23:26 2020 -0700

    Fix etcd's support for internal TLS

    Fixes for etcd's certmonger cert and key generation:
    - Do not chown the cert and key files generated on the host. In addition
      to the fact that "etcd" is not a valid user|grep name on the host, an
      ACL must be used to allow other services (such as cinder) to access
      the files. That ACL will be handled at the THT layer.
    - New $dnsnames parameter supports adding a list of subject alternative
      name (SAN) to the cert.
    - Remove obsolete default $postsave_cmd (see comment in the code), but
      make it a parameter so it can be overridden if necessary.

    The cinder-volume service uses etcd when cinder is configured for
    active/active mode. When internal TLS is enabled, the backend_url must
    include references to etcd's cert and key files.

    Partial-Bug: #1869955
    Change-Id: Ifa7452ec15b81f48d7e5fb1252f20b5af1dff95c
    (cherry picked from commit 63111546cdc983c383e964f33618a78e7185fb81)