Comment 17 for bug 1869955

Reviewed: https://review.opendev.org/726949
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=692717bd4606949f6f3731a65aa9945cd2b7bf06
Submitter: Zuul
Branch: stable/train

commit 692717bd4606949f6f3731a65aa9945cd2b7bf06
Author: Alan Bishop <email address hidden>
Date: Mon Apr 27 13:30:18 2020 -0700

    Fix cinder and etcd running with internal TLS enabled

    The LP bug referenced below describes a number of issues when
    cinder tries to use etcd for its distributed lock manager with
    internal TLS enabled. This patch resolves issues related to
    generating and distributing etcd's cert and key files.

    - The etcd cert must contain a subject alternative name (SAN) for the
      etcd node's internal API IP address. This is necessary because etcd
      wants to use IP addresses (versus host names), and this requires the
      IP address be listed in the TLS certificate.
    - The cert and key files are generated on the host, and must be
      available to multiple services running in their respective containers.
      The cert and key files need to be bind mounted, and an ACL is
      required so the etcd and cinder services have permission to read the
      files.

    EnableEtcdInternalTLS, a workaround introduced in [1], still defaults
    to False. The default value can be switched to True after tripleo
    switches from using novajoin to the ansible tripleo-ipa role for
    registering nodes with the IdM service.

    [1] https://review.opendev.org/#/q/Iec0d02f8f51067098dd58beb4fe57a7fd5ab5651

    Closes-Bug: #1869955
    Depends-On: Ifa7452ec15b81f48d7e5fb1252f20b5af1dff95c
    Change-Id: I798d60818b214de9266226c8409b69525a951dd5
    (cherry picked from commit 2fc1290c10f77dac816d1416ddf6c137a10110b1)