Workaround for cinder A/A and etcd with TLS-everywhere
This patch implements a workaround to allow cinder to run in active/ active mode with internal TLS enabled. Cinder uses etcd for its distributed lock manager, and the LP bug documents several problems when the deployment enables TLS on the internal API network. Until a full solution is available, this workaround allows cinder and etcd to work without TLS. The full solution is complicated, and affects components outside of tripleo. Change-Id: Iec0d02f8f51067098dd58beb4fe57a7fd5ab5651 Related-Bug: #1869955
This commit is contained in:
parent
17135d60d0
commit
e621ff801b
|
@ -46,9 +46,18 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
EnableEtcdInternalTLS:
|
||||
description: Controls whether etcd and the cinder-volume service use TLS
|
||||
for cinder's lock manager, even when the rest of the internal
|
||||
API network is using TLS.
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
internal_tls_enabled:
|
||||
and:
|
||||
- {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
- {equals: [{get_param: EnableEtcdInternalTLS}, true]}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
|
@ -103,7 +112,10 @@ outputs:
|
|||
template: "etcd/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
- {}
|
||||
-
|
||||
# Ensure etcd and cinder-volume aren't configured to use TLS
|
||||
tripleo::profile::base::etcd::enable_internal_tls: false
|
||||
tripleo::profile::base::cinder::volume::enable_internal_tls: false
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
config_volume: etcd
|
||||
|
|
Loading…
Reference in New Issue