Fix cinder and etcd running with internal TLS enabled
The LP bug referenced below describes a number of issues when
cinder tries to use etcd for its distributed lock manager with
internal TLS enabled. This patch resolves issues related to
generating and distributing etcd's cert and key files.
- The etcd cert must contain a subject alternative name (SAN) for the
etcd node's internal API IP address. This is necessary because etcd
wants to use IP addresses (versus host names), and this requires the
IP address be listed in the TLS certificate.
- The cert and key files are generated on the host, and must be
available to multiple services running in their respective containers.
The cert and key files need to be bind mounted, and an ACL is
required so the etcd and cinder services have permission to read the
files.
EnableEtcdInternalTLS, a workaround introduced in [1], still defaults
to False. The default value can be switched to True after tripleo
switches from using novajoin to the ansible tripleo-ipa role for
registering nodes with the IdM service.
Reviewed: https:/ /review. opendev. org/726949 /git.openstack. org/cgit/ openstack/ tripleo- heat-templates/ commit/ ?id=692717bd460 6949f6f3731a65a a9945cd2b7bf06
Committed: https:/
Submitter: Zuul
Branch: stable/train
commit 692717bd4606949 f6f3731a65aa994 5cd2b7bf06
Author: Alan Bishop <email address hidden>
Date: Mon Apr 27 13:30:18 2020 -0700
Fix cinder and etcd running with internal TLS enabled
The LP bug referenced below describes a number of issues when
cinder tries to use etcd for its distributed lock manager with
internal TLS enabled. This patch resolves issues related to
generating and distributing etcd's cert and key files.
- The etcd cert must contain a subject alternative name (SAN) for the
etcd node's internal API IP address. This is necessary because etcd
wants to use IP addresses (versus host names), and this requires the
IP address be listed in the TLS certificate.
- The cert and key files are generated on the host, and must be
available to multiple services running in their respective containers.
The cert and key files need to be bind mounted, and an ACL is
required so the etcd and cinder services have permission to read the
files.
EnableEtcdI nternalTLS, a workaround introduced in [1], still defaults
to False. The default value can be switched to True after tripleo
switches from using novajoin to the ansible tripleo-ipa role for
registering nodes with the IdM service.
[1] https:/ /review. opendev. org/#/q/ Iec0d02f8f51067 098dd58beb4fe57 a7fd5ab5651
Closes-Bug: #1869955 48d7e5fb1252f20 b5af1dff95c e9266226c8409b6 9525a951dd5 c816d1416ddf6c1 37a10110b1)
Depends-On: Ifa7452ec15b81f
Change-Id: I798d60818b214d
(cherry picked from commit 2fc1290c10f77da