1848153 – etcd not using TLS when deployed with TLS-everywhere

Bug 1848153 - etcd not using TLS when deployed with TLS-everywhere

Summary: etcd not using TLS when deployed with TLS-everywhere

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	16.1 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	Alpha
Target Release:	17.0
Assignee:	Alan Bishop
QA Contact:	Tzach Shefi
Docs Contact:
URL:
Whiteboard:
Depends On:	1823932 1855403 1859750
Blocks:
TreeView+	depends on / blocked

Reported:	2020-06-17 19:48 UTC by Alan Bishop
Modified:	2022-09-22 18:20 UTC (History)
CC List:	9 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-14.3.1-0.20210912021828.e7f8587.el8ost
Doc Type:	Enhancement
Doc Text:	With this update, you can now use Red Hat OpenStack Platform director to configure the etcd service to use TLS endpoints when deploying TLS-everywhere.
Clone Of:
Environment:
Last Closed:	2022-09-21 12:10:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	769985	None	MERGED	Turn off the etcd TLS workaround used with novajoin	2022-08-30 16:37:48 UTC
Red Hat Issue Tracker	OSP-10298	None	None	None	2022-04-13 19:53:52 UTC
Red Hat Product Errata	RHEA-2022:6543	None	None	None	2022-09-21 12:11:51 UTC

Description Alan Bishop 2020-06-17 19:48:43 UTC

In order to work around early issues encountered with cinder trying to use etcd for its distributed lock manager in a tls-e deployment, a new THT parameter was introduced by [1] that controls whether etcd (and cinder) actually use TLS.

[1] https://review.opendev.org/717837

The new EnableEtcdInternalTLS defaults to False. Full support for TLS is possible when tls-e is deployed using tripleo-ipa (see bug #1823932), but that is not the default tls-e deployment in Train. Train still defaults to using novajoin, which needs to be fixed in order for etcd to support TLS (see bug #1843701).

In other words, once bug #1843701 is fixed it will be possible to deploy etcd with TLS. At that point, the EnableEtcdInternalTLS should default to True.

Comment 17 errata-xmlrpc 2022-09-21 12:10:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543

Note You need to log in before you can comment on or make changes to this bug.