From aeb5bc9b978ab80e9267d331333f5964ec33136b Mon Sep 17 00:00:00 2001
From: Alan Bishop <abishop@redhat.com>
Date: Tue, 31 Mar 2020 13:25:04 -0700
Subject: [PATCH] Workaround for cinder A/A and etcd with TLS-everywhere

This patch implements a workaround to allow cinder to run in active/
active mode with internal TLS enabled. Cinder uses etcd for its
distributed lock manager, and the LP bug documents several problems
when the deployment enables TLS on the internal API network.

Until a full solution is available, this workaround allows cinder and
etcd to work without TLS. The full solution is complicated, and affects
components outside of tripleo.

Change-Id: Iec0d02f8f51067098dd58beb4fe57a7fd5ab5651
Related-Bug: #1869955
(cherry picked from commit e621ff801bef9d4b04696ad11da06b64080e1352)
---
 deployment/etcd/etcd-container-puppet.yaml | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml
index a0e0ded515..1dcc202a1b 100644
--- a/deployment/etcd/etcd-container-puppet.yaml
+++ b/deployment/etcd/etcd-container-puppet.yaml
@@ -46,9 +46,18 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  EnableEtcdInternalTLS:
+    description: Controls whether etcd and the cinder-volume service use TLS
+                 for cinder's lock manager, even when the rest of the internal
+                 API network is using TLS.
+    type: boolean
+    default: false
 
 conditions:
-  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  internal_tls_enabled:
+    and:
+      - {equals: [{get_param: EnableInternalTLS}, true]}
+      - {equals: [{get_param: EnableEtcdInternalTLS}, true]}
 
 outputs:
   role_data:
@@ -103,7 +112,10 @@ outputs:
                   template: "etcd/%{hiera('fqdn_NETWORK')}"
                   params:
                     NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
-          - {}
+          -
+            # Ensure etcd and cinder-volume aren't configured to use TLS
+            tripleo::profile::base::etcd::enable_internal_tls: false
+            tripleo::profile::base::cinder::volume::enable_internal_tls: false
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: etcd