Turn off the etcd TLS workaround used with novajoin

[1] introduced a workaround that was required when TLS-everywhere was implemented with novajoin. The workaround is no longer required because novajoin is deprecated in favor of the tripleo-ipa ansible module. The workaround is disabled by changing the EnableEtcdInternalTLS parameter's default value changes from False to True. [1] Iec0d02f8f51067098dd58beb4fe57a7fd5ab5651 Change-Id: Ic41738392fbbe9239b927e26c0b2ed3b7abe3a09
openstack-archive · Jan 9, 2021 · 9949a8e · 9949a8e
1 parent 9fd7090
commit 9949a8e
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 3 deletions.
diff --git a/deployment/cinder/cinder-common-container-puppet.yaml b/deployment/cinder/cinder-common-container-puppet.yaml
@@ -72,7 +72,7 @@ parameters:
                  for cinder's lock manager, even when the rest of the internal
                  API network is using TLS.
     type: boolean
-    default: false
+    default: true
   CephConfigPath:
     type: string
     default: "/var/lib/tripleo-config/ceph"

diff --git a/deployment/cinder/cinder-volume-container-puppet.yaml b/deployment/cinder/cinder-volume-container-puppet.yaml
@@ -175,7 +175,7 @@ parameters:
                  for cinder's lock manager, even when the rest of the internal
                  API network is using TLS.
     type: boolean
-    default: false
+    default: true
   CephConfigPath:
     type: string
     default: "/var/lib/tripleo-config/ceph"

diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml
@@ -51,7 +51,7 @@ parameters:
                  for cinder's lock manager, even when the rest of the internal
                  API network is using TLS.
     type: boolean
-    default: false
+    default: true
   InternalTLSCAFile:
     default: '/etc/ipa/ca.crt'
     type: string
@@ -72,6 +72,16 @@ parameters:
     description: Override the private key size used when creating the
                  certificate for this service
 
+parameter_groups:
+- label: deprecated
+  description: |
+   The following parameters are deprecated and will be removed. They should not
+   be relied on for new deployments. If you have concerns regarding deprecated
+   parameters, please contact the TripleO development team on IRC or the
+   OpenStack mailing list.
+  parameters:
+  - EnableEtcdInternalTLS
+
 conditions:
   internal_tls_enabled:
     and:

diff --git a/releasenotes/notes/deprecate-etcd-tls-workaround-de5dd1fc19dae5b2.yaml b/releasenotes/notes/deprecate-etcd-tls-workaround-de5dd1fc19dae5b2.yaml
@@ -0,0 +1,14 @@
+---
+upgrade:
+  - |
+    The `EnableEtcdInternalTLS` parameter's default value changes from false
+    to true. The change is related to the fact that novajoin is deprecated,
+    and the functionality associated with the `EnableEtcdInternalTLS` parameter
+    is not required when TLS is deployed using the tripleo-ansible ansible
+    module.
+deprecations:
+  - |
+    The `EnableEtcdInternalTLS` parameter is deprecated. It was added to support
+    a workaround that is necessary when novajoin is used to deploy TLS, but
+    novajoin itself is deprecated. The workaround is not necessary when TLS
+    is deployed using the tripleo-ansible ansible module.