diff --git a/deployment_scripts/puppet/manifests/haproxy.pp b/deployment_scripts/puppet/manifests/haproxy.pp index ebc1e57..b18c64d 100644 --- a/deployment_scripts/puppet/manifests/haproxy.pp +++ b/deployment_scripts/puppet/manifests/haproxy.pp @@ -19,24 +19,27 @@ $kibana_backend_port = hiera('lma::elasticsearch::apache_port') $kibana_backend_viewer_port = hiera('lma::elasticsearch::apache_viewer_port') $kibana_frontend_port = hiera('lma::elasticsearch::kibana_frontend_port') $kibana_frontend_viewer_port = hiera('lma::elasticsearch::kibana_frontend_viewer_port') -$vip = hiera('lma::elasticsearch::vip') +$es_vip = hiera('lma::elasticsearch::vip') +$kibana_vip = hiera('lma::kibana::vip') -$nodes_ips = hiera('lma::elasticsearch::nodes') -$nodes_names = prefix(range(1, size($nodes_ips)), 'server_') +$es_nodes_ips = hiera('lma::elasticsearch::nodes') +$es_nodes_names = prefix(range(1, size($es_nodes_ips)), 'server_') +$kibana_nodes_ips = hiera('lma::kibana::nodes') +$kibana_nodes_names = prefix(range(1, size($kibana_nodes_ips)), 'server_') Openstack::Ha::Haproxy_service { - server_names => $nodes_names, - ipaddresses => $nodes_ips, public => false, public_ssl => false, internal => true, - internal_virtual_ip => $vip, } $es_haproxy_service = hiera('lma::elasticsearch::es_haproxy_service') openstack::ha::haproxy_service { $es_haproxy_service: order => '920', + internal_virtual_ip => $es_vip, listen_port => $es_port, + server_names => $es_nodes_names, + ipaddresses => $es_nodes_ips, balancermember_port => $es_port, balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3', haproxy_config_options => { @@ -53,7 +56,10 @@ if $kibana_tls['enabled'] { order => '921', internal_ssl => true, internal_ssl_path => $kibana_tls['cert_file_path'], + internal_virtual_ip => $kibana_vip, listen_port => $kibana_frontend_port, + server_names => $kibana_nodes_names, + ipaddresses => $kibana_nodes_ips, balancermember_port => $kibana_backend_port, balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3', haproxy_config_options => { @@ -67,7 +73,10 @@ if $kibana_tls['enabled'] { order => '922', internal_ssl => true, internal_ssl_path => $kibana_tls['cert_file_path'], + internal_virtual_ip => $kibana_vip, listen_port => $kibana_frontend_viewer_port, + server_names => $kibana_nodes_names, + ipaddresses => $kibana_nodes_ips, balancermember_port => $kibana_backend_viewer_port, balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3', haproxy_config_options => { @@ -81,7 +90,10 @@ if $kibana_tls['enabled'] { } else { openstack::ha::haproxy_service { 'kibana': order => '921', + internal_virtual_ip => $kibana_vip, listen_port => $kibana_frontend_port, + server_names => $kibana_nodes_names, + ipaddresses => $kibana_nodes_ips, balancermember_port => $kibana_backend_port, balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3', haproxy_config_options => { @@ -93,7 +105,10 @@ if $kibana_tls['enabled'] { if $authnz['ldap_enabled'] and $authnz['ldap_authorization_enabled'] { openstack::ha::haproxy_service { 'kibana-viewer': order => '922', + internal_virtual_ip => $kibana_vip, listen_port => $kibana_frontend_viewer_port, + server_names => $kibana_nodes_names, + ipaddresses => $kibana_nodes_ips, balancermember_port => $kibana_backend_viewer_port, balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3', haproxy_config_options => { diff --git a/deployment_scripts/puppet/manifests/hiera_override.pp b/deployment_scripts/puppet/manifests/hiera_override.pp index ed97308..4b02642 100644 --- a/deployment_scripts/puppet/manifests/hiera_override.pp +++ b/deployment_scripts/puppet/manifests/hiera_override.pp @@ -21,7 +21,7 @@ prepare_network_config($network_scheme) $elasticsearch_kibana = hiera_hash('elasticsearch_kibana') $hiera_file = '/etc/hiera/plugins/elasticsearch_kibana.yaml' -$listen_address = get_network_role_property('elasticsearch', 'ipaddr') +$es_listen_address = get_network_role_property('elasticsearch', 'ipaddr') $es_nodes = get_nodes_hash_by_roles($network_metadata, ['elasticsearch_kibana', 'primary-elasticsearch_kibana']) $es_addresses_map = get_node_to_ipaddr_map_by_network_role($es_nodes, 'elasticsearch') $es_ip_addresses = sort(values($es_addresses_map)) @@ -29,7 +29,18 @@ $es_nodes_count = count($es_nodes) if ! $network_metadata['vips']['es_vip_mgmt'] { fail('Elasticsearch VIP is not defined') } -$vip = $network_metadata['vips']['es_vip_mgmt']['ipaddr'] +$elasticsearch_vip = $network_metadata['vips']['es_vip_mgmt']['ipaddr'] + +# For security reasons (eg not exposing Kibana directly on the public network), +# only the Kibana VIP should listen on the 'kibana' network and the Kibana +# services themselves should listen on the 'elasticsearch' network which is an +# equivalent of the management network for OpenStack. +$kibana_listen_address = $es_listen_address +$kibana_ip_addresses = $es_ip_addresses +if ! $network_metadata['vips']['kibana'] { + fail('Kibana VIP is not defined') +} +$kibana_vip = $network_metadata['vips']['kibana']['ipaddr'] if is_integer($elasticsearch_kibana['number_of_replicas']) and $elasticsearch_kibana['number_of_replicas'] < $es_nodes_count { $number_of_replicas = 0 + $elasticsearch_kibana['number_of_replicas'] @@ -127,9 +138,9 @@ $calculated_content = inline_template(' lma::corosync_roles: - primary-elasticsearch_kibana - elasticsearch_kibana -lma::elasticsearch::vip: <%= @vip %> +lma::elasticsearch::vip: <%= @elasticsearch_vip %> lma::elasticsearch::es_haproxy_service: elasticsearch-rest -lma::elasticsearch::listen_address: <%= @listen_address%> +lma::elasticsearch::listen_address: <%= @es_listen_address%> <% if @tls_enabled -%> lma::elasticsearch::kibana_frontend_port: 443 lma::elasticsearch::kibana_frontend_viewer_port: 8443 @@ -158,6 +169,12 @@ lma::elasticsearch::jvm_size: <%= @elasticsearch_kibana["jvm_heap_size"] %> lma::elasticsearch::instance_name: <%= @instance_name %> lma::elasticsearch::node_name: "<%= @fqdn %>_es-01" lma::elasticsearch::cluster_name: lma +lma::kibana::vip: <%= @kibana_vip %> +lma::kibana::listen_address: <%= @kibana_listen_address%> +lma::kibana::nodes: +<% @kibana_ip_addresses.each do |x| -%> + - "<%= x %>" +<% end -%> lma::kibana::tls: enabled: <%= @tls_enabled %> <% if @tls_enabled -%> diff --git a/deployment_scripts/puppet/manifests/provision_services.pp b/deployment_scripts/puppet/manifests/provision_services.pp index 9a08019..c18933f 100644 --- a/deployment_scripts/puppet/manifests/provision_services.pp +++ b/deployment_scripts/puppet/manifests/provision_services.pp @@ -16,7 +16,8 @@ notice('fuel-plugin-elasticsearch-kibana: provision_services.pp') $deployment_id = hiera('deployment_id') $master_ip = hiera('master_ip') -$vip = hiera('lma::elasticsearch::vip') +$es_vip = hiera('lma::elasticsearch::vip') +$kibana_vip = hiera('lma::kibana::vip') $kibana_viewer_port = hiera('lma::elasticsearch::kibana_frontend_viewer_port') $es_port = hiera('lma::elasticsearch::rest_port') $number_of_replicas = hiera('lma::elasticsearch::number_of_replicas') @@ -33,14 +34,14 @@ if $kibana_tls['enabled'] { $kibana_hostname = $kibana_tls['hostname'] if $two_links { $kibana_link_data = "{\"title\":\"Kibana (Admin role)\",\ - \"description\":\"Dashboard for visualizing logs and notifications (${kibana_hostname}: ${protocol}://${vip})\",\ + \"description\":\"Dashboard for visualizing logs and notifications (${kibana_hostname}: ${protocol}://${kibana_vip})\",\ \"url\":\"${protocol}://${kibana_hostname}\"}" $kibana_link_viewer_data = "{\"title\":\"Kibana (Viewer role)\",\ - \"description\":\"Dashboard for visualizing logs and notifications (${kibana_hostname}: ${protocol}://${vip}:${kibana_viewer_port})\",\ + \"description\":\"Dashboard for visualizing logs and notifications (${kibana_hostname}: ${protocol}://${kibana_vip}:${kibana_viewer_port})\",\ \"url\":\"${protocol}://${kibana_hostname}:${kibana_viewer_port}/\"}" } else { $kibana_link_data = "{\"title\":\"Kibana\",\ - \"description\":\"Dashboard for visualizing logs and notifications (${kibana_hostname}: ${protocol}://${vip})\",\ + \"description\":\"Dashboard for visualizing logs and notifications (${kibana_hostname}: ${protocol}://${kibana_vip})\",\ \"url\":\"${protocol}://${kibana_hostname}\"}" } } else { @@ -48,24 +49,24 @@ if $kibana_tls['enabled'] { if $two_links { $kibana_link_data = "{\"title\":\"Kibana (Admin role)\",\ \"description\":\"Dashboard for visualizing logs and notifications\",\ - \"url\":\"${protocol}://${vip}\"}" + \"url\":\"${protocol}://${kibana_vip}\"}" $kibana_link_viewer_data = "{\"title\":\"Kibana (Viewer role)\",\ \"description\":\"Dashboard for visualizing logs and notifications\",\ - \"url\":\"${protocol}://${vip}:${kibana_viewer_port}/\"}" + \"url\":\"${protocol}://${kibana_vip}:${kibana_viewer_port}/\"}" } else { $kibana_link_data = "{\"title\":\"Kibana\",\ \"description\":\"Dashboard for visualizing logs and notifications\",\ - \"url\":\"${protocol}://${vip}\"}" + \"url\":\"${protocol}://${kibana_vip}\"}" } } lma_logging_analytics::es_template { ['log', 'notification']: number_of_replicas => $number_of_replicas, - host => $vip, + host => $es_vip, port => $es_port, } -> class { 'lma_logging_analytics::curator': - host => $vip, + host => $es_vip, port => $es_port, retention_period => hiera('lma::elasticsearch::retention_period'), prefixes => ['log', 'notification'],