Workaround for cinder A/A and etcd with TLS-everywhere

This patch implements a workaround to allow cinder to run in active/
active mode with internal TLS enabled. Cinder uses etcd for its
distributed lock manager, and the LP bug documents several problems
when the deployment enables TLS on the internal API network.

Until a full solution is available, this workaround allows cinder and
etcd to work without TLS. The full solution is complicated, and affects
components outside of tripleo.

Change-Id: Iec0d02f8f51067098dd58beb4fe57a7fd5ab5651
Related-Bug: #1869955
This commit is contained in:
Alan Bishop 2020-03-31 13:25:04 -07:00
parent 17135d60d0
commit e621ff801b
1 changed files with 14 additions and 2 deletions

View File

@ -46,9 +46,18 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
EnableEtcdInternalTLS:
description: Controls whether etcd and the cinder-volume service use TLS
for cinder's lock manager, even when the rest of the internal
API network is using TLS.
type: boolean
default: false
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
internal_tls_enabled:
and:
- {equals: [{get_param: EnableInternalTLS}, true]}
- {equals: [{get_param: EnableEtcdInternalTLS}, true]}
outputs:
role_data:
@ -103,7 +112,10 @@ outputs:
template: "etcd/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
- {}
-
# Ensure etcd and cinder-volume aren't configured to use TLS
tripleo::profile::base::etcd::enable_internal_tls: false
tripleo::profile::base::cinder::volume::enable_internal_tls: false
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: etcd