From fa8a128e4905956624bec9e4d78f45a8a74c81ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Han?= <seb@redhat.com>
Date: Thu, 11 Jan 2018 19:07:43 +0100
Subject: [PATCH] etcd: ability to enable/disable ETCD_PEER_CLIENT_CERT_AUTH
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Some installation are failing to authenticate with peers due to
etcd picking up/resoling the wrong node.

By setting 'etcd_peer_client_auth' to "False" you can disable peer client cert
authentication.

Signed-off-by: Sébastien Han <seb@redhat.com>
---
 inventory/group_vars/all.yml     | 4 ++++
 roles/etcd/defaults/main.yml     | 3 +++
 roles/etcd/templates/etcd.env.j2 | 2 +-
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml
index 6d644ceef..840c8796f 100644
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@@ -20,6 +20,10 @@ bin_dir: /usr/local/bin
 ## This may be the case if clients support and loadbalance multiple etcd servers  natively.
 #etcd_multiaccess: true
 
+### ETCD: disable peer client cert authentication.
+# This affects ETCD_PEER_CLIENT_CERT_AUTH variable
+#etcd_peer_client_auth: true
+
 ## External LB example config
 ## apiserver_loadbalancer_domain_name: "elb.some.domain"
 #loadbalancer_apiserver:
diff --git a/roles/etcd/defaults/main.yml b/roles/etcd/defaults/main.yml
index 3029409af..f394e41aa 100644
--- a/roles/etcd/defaults/main.yml
+++ b/roles/etcd/defaults/main.yml
@@ -40,3 +40,6 @@ etcd_vault_mount_path: etcd
 
 # Force clients like etcdctl to use TLS certs (different than peer security)
 etcd_secure_client: true
+
+# Enable peer client cert authentication
+etcd_peer_client_auth: true
diff --git a/roles/etcd/templates/etcd.env.j2 b/roles/etcd/templates/etcd.env.j2
index 5f14d05b6..6a917d127 100644
--- a/roles/etcd/templates/etcd.env.j2
+++ b/roles/etcd/templates/etcd.env.j2
@@ -23,4 +23,4 @@ ETCD_CLIENT_CERT_AUTH={{ etcd_secure_client | lower}}
 ETCD_PEER_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
 ETCD_PEER_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
 ETCD_PEER_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
-ETCD_PEER_CLIENT_CERT_AUTH=true
+ETCD_PEER_CLIENT_CERT_AUTH={{ etcd_peer_client_auth }}
-- 
GitLab