Restore missing SAN IP in etcd cert

This patch fixes a regression in the etcd cert that is used with tls-everywhere. The etcd service makes cluster connections using its IP address, so with tls-e the etcd cert needs to include its address as a SAN IP. The SAN IP was inadvertently dropped when cert generation was moved from puppet to an ansible role. Resolves: rhbz#2096230 Change-Id: I28e268c58bf63aaa81a67f48ca492fe97d9a07e9
openstack-archive · Jun 13, 2022 · 9ed1c7b · 9ed1c7b
1 parent 1a12459
commit 9ed1c7b
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml
@@ -314,6 +314,12 @@ outputs:
                                 template: "{{cloud_names.cloud_name_NETWORK}}"
                                 params:
                                   NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
+                          # etcd3 expects to use IP addresses, so add a SAN IP to its cert
+                          ip:
+                            str_replace:
+                              template: "{{NETWORK_ip}}"
+                              params:
+                                NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
                           principal:
                             str_replace:
                               template: "etcd/{{fqdn_$NETWORK}}@{{idm_realm}}"