Add SSL for Elasticsearch
Change-Id: I0a525b82e6dfc536bec6953485f2d11e6f64cd54
PROD-related: PROD-29185
diff --git a/defaults/haproxy/elasticsearch.yml b/defaults/haproxy/elasticsearch.yml
new file mode 100644
index 0000000..07db053
--- /dev/null
+++ b/defaults/haproxy/elasticsearch.yml
@@ -0,0 +1,6 @@
+parameters:
+ _param:
+ haproxy_elasticsearch_http_bind_port: 9200
+ haproxy_elasticsearch_http_exposed_port: 9200
+ haproxy_elasticsearch_binary_bind_port: 9300
+ haproxy_elasticsearch_binary_exposed_port: 9300
diff --git a/defaults/haproxy/init.yml b/defaults/haproxy/init.yml
new file mode 100644
index 0000000..499e085
--- /dev/null
+++ b/defaults/haproxy/init.yml
@@ -0,0 +1,2 @@
+classes:
+- system.defaults.haproxy.elasticsearch
diff --git a/defaults/init.yml b/defaults/init.yml
index 2683f28..f12a8ec 100644
--- a/defaults/init.yml
+++ b/defaults/init.yml
@@ -26,6 +26,7 @@
- system.defaults.stacklight
- system.defaults.xtrabackup
- system.defaults.backup
+- system.defaults.haproxy
# k8s
- system.defaults.etcd
parameters:
diff --git a/elasticsearch/client/ssl.yml b/elasticsearch/client/ssl.yml
new file mode 100644
index 0000000..9f0f9c2
--- /dev/null
+++ b/elasticsearch/client/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+ elasticsearch:
+ client:
+ server:
+ scheme: https
diff --git a/fluentd/label/default_metric/prometheus_ssl.yml b/fluentd/label/default_metric/prometheus_ssl.yml
new file mode 100644
index 0000000..292c481
--- /dev/null
+++ b/fluentd/label/default_metric/prometheus_ssl.yml
@@ -0,0 +1,9 @@
+parameters:
+ fluentd:
+ agent:
+ config:
+ input:
+ prometheus:
+ metric:
+ ssl:
+ enabled: True
diff --git a/fluentd/label/default_output/elasticsearch_ssl.yml b/fluentd/label/default_output/elasticsearch_ssl.yml
new file mode 100644
index 0000000..da3a5a7
--- /dev/null
+++ b/fluentd/label/default_output/elasticsearch_ssl.yml
@@ -0,0 +1,9 @@
+parameters:
+ fluentd:
+ agent:
+ config:
+ label:
+ default_output:
+ match:
+ elasticsearch_output:
+ scheme: https
diff --git a/haproxy/proxy/listen/stacklight/elasticsearch.yml b/haproxy/proxy/listen/stacklight/elasticsearch.yml
index 582de6a..d684861 100644
--- a/haproxy/proxy/listen/stacklight/elasticsearch.yml
+++ b/haproxy/proxy/listen/stacklight/elasticsearch.yml
@@ -1,10 +1,6 @@
parameters:
_param:
haproxy_elasticsearch_bind_host: ${_param:cluster_vip_address}
- haproxy_elasticsearch_http_bind_port: 9200
- haproxy_elasticsearch_http_exposed_port: 9200
- haproxy_elasticsearch_binary_bind_port: 9300
- haproxy_elasticsearch_binary_exposed_port: 9300
haproxy:
proxy:
listen:
@@ -17,7 +13,7 @@
- dontlog-normal
balance: roundrobin
binds:
- - address: ${_param:haproxy_elasticsearch_bind_host}
+ - address: ${_param:cluster_vip_address}
port: ${_param:haproxy_elasticsearch_http_bind_port}
servers:
- name: ${_param:cluster_node01_hostname}
diff --git a/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml b/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml
new file mode 100644
index 0000000..a50280e
--- /dev/null
+++ b/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml
@@ -0,0 +1,55 @@
+parameters:
+ _param:
+ haproxy_elasticsearch_bind_host: ${_param:cluster_vip_address}
+ haproxy:
+ proxy:
+ listen:
+ elasticsearch:
+ mode: http
+ options:
+ - httplog
+ - http-keep-alive
+ - prefer-last-server
+ - dontlog-normal
+ balance: roundrobin
+ binds:
+ - address: ${_param:cluster_vip_address}
+ port: ${_param:haproxy_elasticsearch_http_bind_port}
+ ssl:
+ enabled: true
+ pem_file: /etc/elasticsearch/elasticsearch.pem
+ servers:
+ - name: ${_param:cluster_node01_hostname}
+ host: ${_param:cluster_node01_address}
+ port: ${_param:haproxy_elasticsearch_http_exposed_port}
+ params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+ - name: ${_param:cluster_node02_hostname}
+ host: ${_param:cluster_node02_address}
+ port: ${_param:haproxy_elasticsearch_http_exposed_port}
+ params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+ - name: ${_param:cluster_node03_hostname}
+ host: ${_param:cluster_node03_address}
+ port: ${_param:haproxy_elasticsearch_http_exposed_port}
+ params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+ elasticsearch_binary:
+ mode: tcp
+ options:
+ - tcpka
+ - tcplog
+ balance: source
+ binds:
+ - address: ${_param:cluster_vip_address}
+ port: ${_param:haproxy_elasticsearch_binary_bind_port}
+ servers:
+ - name: ${_param:cluster_node01_hostname}
+ host: ${_param:cluster_node01_address}
+ port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+ params: 'check'
+ - name: ${_param:cluster_node02_hostname}
+ host: ${_param:cluster_node02_address}
+ port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+ params: 'check'
+ - name: ${_param:cluster_node03_hostname}
+ host: ${_param:cluster_node03_address}
+ port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+ params: 'check'
diff --git a/kibana/client/ssl.yml b/kibana/client/ssl.yml
new file mode 100644
index 0000000..76160c6
--- /dev/null
+++ b/kibana/client/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+ kibana:
+ client:
+ server:
+ scheme: https
diff --git a/kibana/server/single.yml b/kibana/server/single.yml
index 965f274..5c59588 100644
--- a/kibana/server/single.yml
+++ b/kibana/server/single.yml
@@ -13,4 +13,5 @@
engine: elasticsearch
host: ${_param:kibana_elasticsearch_host}
port: 9200
+ scheme: http
diff --git a/kibana/server/ssl.yml b/kibana/server/ssl.yml
new file mode 100644
index 0000000..5b049f8
--- /dev/null
+++ b/kibana/server/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+ kibana:
+ server:
+ database:
+ scheme: https
diff --git a/salt/minion/cert/elasticsearch.yml b/salt/minion/cert/elasticsearch.yml
new file mode 100644
index 0000000..0ac232d
--- /dev/null
+++ b/salt/minion/cert/elasticsearch.yml
@@ -0,0 +1,16 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ elasticsearch:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: elasticsearch
+ signing_policy: cert_server
+ alternative_names: IP:127.0.0.1,IP:${_param:single_address},IP:${_param:stacklight_log_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+ key_file: /etc/elasticsearch/elasticsearch.key
+ cert_file: /etc/elasticsearch/elasticsearch.crt
+ ca_file: /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem
+ all_file: /etc/elasticsearch/elasticsearch.pem
+ mode: '0444'
+ enabled: true
diff --git a/salt/minion/cert/fluentd_prometheus.yml b/salt/minion/cert/fluentd_prometheus.yml
new file mode 100644
index 0000000..d7f4469
--- /dev/null
+++ b/salt/minion/cert/fluentd_prometheus.yml
@@ -0,0 +1,14 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ fluentd_prometheus:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: fluentd_prometheus
+ signing_policy: cert_server
+ alternative_names: IP:127.0.0.1,IP:${_param:single_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+ key_file: ${fluentd:agent:dir:config}/fluentd-prometheus.key
+ cert_file: ${fluentd:agent:dir:config}/fluentd-prometheus.crt
+ mode: '0444'
+ enabled: true