From a15843222316dc64cc820318ce14151368331beb Mon Sep 17 00:00:00 2001
From: James Kirsch <generalfuzz@gmail.com>
Date: Thu, 18 Jun 2020 12:25:19 -0700
Subject: [PATCH] Fix etcd protocol configuration

The etcd service protocol is currently configured with internal_protocol.
The etcd service is not load balanced by a HAProxy container, so
there is no proxy layer to do TLS termination when internal_protocol
is configured to be "https".

Until the etcd service is configured to deploy with native TLS
termination, the etcd uses should be independent of
internal_protocol, and "http" by default.

Change-Id: I730c02331514244e44004aa06e9399c01264c65d
Closes-Bug: 1884137
---
 ansible/group_vars/all.yml                             |  1 +
 ansible/roles/cinder/templates/cinder.conf.j2          |  2 +-
 ansible/roles/etcd/defaults/main.yml                   | 10 +++++-----
 ansible/roles/qinling/templates/qinling.conf.j2        |  2 +-
 ansible/roles/skydive/templates/skydive-agent.conf.j2  |  4 ++--
 .../roles/skydive/templates/skydive-analyzer.conf.j2   |  4 ++--
 .../notes/fix-etcd-protocol-3c9482f90070ee6e.yaml      |  8 ++++++++
 7 files changed, 20 insertions(+), 11 deletions(-)
 create mode 100644 releasenotes/notes/fix-etcd-protocol-3c9482f90070ee6e.yaml

diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 3d9b747080..9c95d4d2b6 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -268,6 +268,7 @@ elasticsearch_port: "9200"
 
 etcd_client_port: "2379"
 etcd_peer_port: "2380"
+etcd_protocol: "http"
 
 fluentd_syslog_port: "5140"
 
diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2
index a9ea776ce6..7cc75926fd 100644
--- a/ansible/roles/cinder/templates/cinder.conf.j2
+++ b/ansible/roles/cinder/templates/cinder.conf.j2
@@ -216,5 +216,5 @@ backend_url = {{ redis_connection_string }}
 # NOTE(yoctozepto): we must use etcd3gw (aka etcd3+http) due to issues with alternative (etcd3) and eventlet (as used by cinder)
 # see https://bugs.launchpad.net/kolla-ansible/+bug/1854932
 # and https://review.opendev.org/466098 for details
-backend_url = etcd3+http://{{ 'api' | kolla_address(groups['etcd'][0]) | put_address_in_context('url') }}:{{ etcd_client_port }}
+backend_url = etcd3+{{ etcd_protocol }}://{{ 'api' | kolla_address(groups['etcd'][0]) | put_address_in_context('url') }}:{{ etcd_client_port }}
 {% endif %}
diff --git a/ansible/roles/etcd/defaults/main.yml b/ansible/roles/etcd/defaults/main.yml
index 71ccda4187..0b85fb90e5 100644
--- a/ansible/roles/etcd/defaults/main.yml
+++ b/ansible/roles/etcd/defaults/main.yml
@@ -9,12 +9,12 @@ etcd_services:
     environment:
       ETCD_DATA_DIR: "/var/lib/etcd"
       ETCD_NAME: "{{ ansible_hostname }}"
-      ETCD_ADVERTISE_CLIENT_URLS: "{{ internal_protocol }}://{{ api_interface_address | put_address_in_context('url') }}:{{ etcd_client_port }}"
-      ETCD_LISTEN_CLIENT_URLS: "{{ internal_protocol }}://{{ api_interface_address | put_address_in_context('url') }}:{{ etcd_client_port }}"
-      ETCD_INITIAL_ADVERTISE_PEER_URLS: "{{ internal_protocol }}://{{ api_interface_address | put_address_in_context('url') }}:{{ etcd_peer_port }}"
-      ETCD_LISTEN_PEER_URLS: "{{ internal_protocol }}://{{ api_interface_address | put_address_in_context('url') }}:{{ etcd_peer_port }}"
+      ETCD_ADVERTISE_CLIENT_URLS: "{{ etcd_protocol }}://{{ api_interface_address | put_address_in_context('url') }}:{{ etcd_client_port }}"
+      ETCD_LISTEN_CLIENT_URLS: "{{ etcd_protocol }}://{{ api_interface_address | put_address_in_context('url') }}:{{ etcd_client_port }}"
+      ETCD_INITIAL_ADVERTISE_PEER_URLS: "{{ etcd_protocol }}://{{ api_interface_address | put_address_in_context('url') }}:{{ etcd_peer_port }}"
+      ETCD_LISTEN_PEER_URLS: "{{ etcd_protocol }}://{{ api_interface_address | put_address_in_context('url') }}:{{ etcd_peer_port }}"
       ETCD_INITIAL_CLUSTER_TOKEN: "{{ etcd_cluster_token }}"
-      ETCD_INITIAL_CLUSTER: "{% for host in groups['etcd'] %}{{ hostvars[host]['ansible_hostname'] }}={{ internal_protocol }}://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_peer_port }}{% if not loop.last %},{% endif %}{% endfor %}"
+      ETCD_INITIAL_CLUSTER: "{% for host in groups['etcd'] %}{{ hostvars[host]['ansible_hostname'] }}={{ etcd_protocol }}://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_peer_port }}{% if not loop.last %},{% endif %}{% endfor %}"
       ETCD_INITIAL_CLUSTER_STATE: "new"
       ETCD_OUT_FILE: "/var/log/kolla/etcd/etcd.log"
       KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
diff --git a/ansible/roles/qinling/templates/qinling.conf.j2 b/ansible/roles/qinling/templates/qinling.conf.j2
index 679804167f..2166c73d35 100644
--- a/ansible/roles/qinling/templates/qinling.conf.j2
+++ b/ansible/roles/qinling/templates/qinling.conf.j2
@@ -41,7 +41,7 @@ file_system_dir = /var/lib/qinling/package
 {% if enable_etcd | bool %}
 host = {{ api_interface_address }}
 port = {{ etcd_client_port }}
-protocol = {{ internal_protocol }}
+protocol = {{ etcd_protocol }}
 {% endif %}
 
 [oslo_messaging_notifications]
diff --git a/ansible/roles/skydive/templates/skydive-agent.conf.j2 b/ansible/roles/skydive/templates/skydive-agent.conf.j2
index c35cedb5ab..15cda502a2 100644
--- a/ansible/roles/skydive/templates/skydive-agent.conf.j2
+++ b/ansible/roles/skydive/templates/skydive-agent.conf.j2
@@ -15,11 +15,11 @@ etcd:
   servers:
 {% if enable_etcd | bool %}
 {% for host in groups['etcd'] %}
-    - http://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_client_port }}
+    - {{ etcd_protocol }}://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_client_port }}
 {% endfor %}
 {% else %}
 {% for host in groups['skydive-analyzer'] %}
-  - http://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_client_port }}
+  - {{ etcd_protocol }}://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_client_port }}
 {% endfor %}
 {% endif %}
 
diff --git a/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 b/ansible/roles/skydive/templates/skydive-analyzer.conf.j2
index 92d5cf7838..f3035b6ce3 100644
--- a/ansible/roles/skydive/templates/skydive-analyzer.conf.j2
+++ b/ansible/roles/skydive/templates/skydive-analyzer.conf.j2
@@ -26,13 +26,13 @@ etcd:
   embedded: false
   servers:
 {% for host in groups['etcd'] %}
-    - http://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_client_port }}
+    - {{ etcd_protocol }}://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_client_port }}
 {% endfor %}
 {% else %}
   embedded: true
   servers:
 {% for host in groups['skydive-analyzer'] %}
-  - http://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_client_port }}
+  - {{ etcd_protocol }}://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_client_port }}
 {% endfor %}
   listen: {{ api_interface_address | put_address_in_context('url') }}:{{ etcd_client_port }}
 {% endif %}
diff --git a/releasenotes/notes/fix-etcd-protocol-3c9482f90070ee6e.yaml b/releasenotes/notes/fix-etcd-protocol-3c9482f90070ee6e.yaml
new file mode 100644
index 0000000000..a4ea2544ef
--- /dev/null
+++ b/releasenotes/notes/fix-etcd-protocol-3c9482f90070ee6e.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    Fix the configuration of the etcd service so that its protocol is
+    independant of the value of the ``internal_protocol`` parameter. The etcd
+    service is not load balanced by HAProxy, so there is no proxy
+    layer to do TLS termination when ``internal_protocol`` is configured to be
+    ``https``.