diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 3d9b747080..9c95d4d2b6 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -268,6 +268,7 @@ elasticsearch_port: "9200" etcd_client_port: "2379" etcd_peer_port: "2380" +etcd_protocol: "http" fluentd_syslog_port: "5140" diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2 index a9ea776ce6..7cc75926fd 100644 --- a/ansible/roles/cinder/templates/cinder.conf.j2 +++ b/ansible/roles/cinder/templates/cinder.conf.j2 @@ -216,5 +216,5 @@ backend_url = {{ redis_connection_string }} # NOTE(yoctozepto): we must use etcd3gw (aka etcd3+http) due to issues with alternative (etcd3) and eventlet (as used by cinder) # see https://bugs.launchpad.net/kolla-ansible/+bug/1854932 # and https://review.opendev.org/466098 for details -backend_url = etcd3+http://{{ 'api' | kolla_address(groups['etcd'][0]) | put_address_in_context('url') }}:{{ etcd_client_port }} +backend_url = etcd3+{{ etcd_protocol }}://{{ 'api' | kolla_address(groups['etcd'][0]) | put_address_in_context('url') }}:{{ etcd_client_port }} {% endif %} diff --git a/ansible/roles/etcd/defaults/main.yml b/ansible/roles/etcd/defaults/main.yml index 71ccda4187..0b85fb90e5 100644 --- a/ansible/roles/etcd/defaults/main.yml +++ b/ansible/roles/etcd/defaults/main.yml @@ -9,12 +9,12 @@ etcd_services: environment: ETCD_DATA_DIR: "/var/lib/etcd" ETCD_NAME: "{{ ansible_hostname }}" - ETCD_ADVERTISE_CLIENT_URLS: "{{ internal_protocol }}://{{ api_interface_address | put_address_in_context('url') }}:{{ etcd_client_port }}" - ETCD_LISTEN_CLIENT_URLS: "{{ internal_protocol }}://{{ api_interface_address | put_address_in_context('url') }}:{{ etcd_client_port }}" - ETCD_INITIAL_ADVERTISE_PEER_URLS: "{{ internal_protocol }}://{{ api_interface_address | put_address_in_context('url') }}:{{ etcd_peer_port }}" - ETCD_LISTEN_PEER_URLS: "{{ internal_protocol }}://{{ api_interface_address | put_address_in_context('url') }}:{{ etcd_peer_port }}" + ETCD_ADVERTISE_CLIENT_URLS: "{{ etcd_protocol }}://{{ api_interface_address | put_address_in_context('url') }}:{{ etcd_client_port }}" + ETCD_LISTEN_CLIENT_URLS: "{{ etcd_protocol }}://{{ api_interface_address | put_address_in_context('url') }}:{{ etcd_client_port }}" + ETCD_INITIAL_ADVERTISE_PEER_URLS: "{{ etcd_protocol }}://{{ api_interface_address | put_address_in_context('url') }}:{{ etcd_peer_port }}" + ETCD_LISTEN_PEER_URLS: "{{ etcd_protocol }}://{{ api_interface_address | put_address_in_context('url') }}:{{ etcd_peer_port }}" ETCD_INITIAL_CLUSTER_TOKEN: "{{ etcd_cluster_token }}" - ETCD_INITIAL_CLUSTER: "{% for host in groups['etcd'] %}{{ hostvars[host]['ansible_hostname'] }}={{ internal_protocol }}://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_peer_port }}{% if not loop.last %},{% endif %}{% endfor %}" + ETCD_INITIAL_CLUSTER: "{% for host in groups['etcd'] %}{{ hostvars[host]['ansible_hostname'] }}={{ etcd_protocol }}://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_peer_port }}{% if not loop.last %},{% endif %}{% endfor %}" ETCD_INITIAL_CLUSTER_STATE: "new" ETCD_OUT_FILE: "/var/log/kolla/etcd/etcd.log" KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}" diff --git a/ansible/roles/qinling/templates/qinling.conf.j2 b/ansible/roles/qinling/templates/qinling.conf.j2 index 679804167f..2166c73d35 100644 --- a/ansible/roles/qinling/templates/qinling.conf.j2 +++ b/ansible/roles/qinling/templates/qinling.conf.j2 @@ -41,7 +41,7 @@ file_system_dir = /var/lib/qinling/package {% if enable_etcd | bool %} host = {{ api_interface_address }} port = {{ etcd_client_port }} -protocol = {{ internal_protocol }} +protocol = {{ etcd_protocol }} {% endif %} [oslo_messaging_notifications] diff --git a/ansible/roles/skydive/templates/skydive-agent.conf.j2 b/ansible/roles/skydive/templates/skydive-agent.conf.j2 index c35cedb5ab..15cda502a2 100644 --- a/ansible/roles/skydive/templates/skydive-agent.conf.j2 +++ b/ansible/roles/skydive/templates/skydive-agent.conf.j2 @@ -15,11 +15,11 @@ etcd: servers: {% if enable_etcd | bool %} {% for host in groups['etcd'] %} - - http://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_client_port }} + - {{ etcd_protocol }}://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_client_port }} {% endfor %} {% else %} {% for host in groups['skydive-analyzer'] %} - - http://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_client_port }} + - {{ etcd_protocol }}://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_client_port }} {% endfor %} {% endif %} diff --git a/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 b/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 index 92d5cf7838..f3035b6ce3 100644 --- a/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 +++ b/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 @@ -26,13 +26,13 @@ etcd: embedded: false servers: {% for host in groups['etcd'] %} - - http://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_client_port }} + - {{ etcd_protocol }}://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_client_port }} {% endfor %} {% else %} embedded: true servers: {% for host in groups['skydive-analyzer'] %} - - http://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_client_port }} + - {{ etcd_protocol }}://{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ etcd_client_port }} {% endfor %} listen: {{ api_interface_address | put_address_in_context('url') }}:{{ etcd_client_port }} {% endif %} diff --git a/releasenotes/notes/fix-etcd-protocol-3c9482f90070ee6e.yaml b/releasenotes/notes/fix-etcd-protocol-3c9482f90070ee6e.yaml new file mode 100644 index 0000000000..a4ea2544ef --- /dev/null +++ b/releasenotes/notes/fix-etcd-protocol-3c9482f90070ee6e.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Fix the configuration of the etcd service so that its protocol is + independant of the value of the ``internal_protocol`` parameter. The etcd + service is not load balanced by HAProxy, so there is no proxy + layer to do TLS termination when ``internal_protocol`` is configured to be + ``https``.