Update elasticsearch firewall rules

This converts the config for elasticsearch cluster client firewall rules to use the new puppet-iptables iptables_allowed_hosts feature. This works around an issue with netfilter-persistent starting before dns resolution is working on boot. Change-Id: I81b7598cb32d498b219ee00f0589e6bf0dc8c242
2017-12-14 14:09:05 -08:00 · 2017-12-14 14:09:05 -08:00 · e99506b030
parent 6f4637c1ef
commit e99506b030
2 changed files with 30 additions and 31 deletions
--- a/hiera/common.yaml
+++ b/hiera/common.yaml
@ -6,28 +6,34 @@ elasticsearch_nodes:
 - elasticsearch05.openstack.org
 - elasticsearch06.openstack.org
 - elasticsearch07.openstack.org
-elasticsearch_clients:
- logstash.openstack.org
- logstash-worker01.openstack.org
- logstash-worker02.openstack.org
- logstash-worker03.openstack.org
- logstash-worker04.openstack.org
- logstash-worker05.openstack.org
- logstash-worker06.openstack.org
- logstash-worker07.openstack.org
- logstash-worker08.openstack.org
- logstash-worker09.openstack.org
- logstash-worker10.openstack.org
- logstash-worker11.openstack.org
- logstash-worker12.openstack.org
- logstash-worker13.openstack.org
- logstash-worker14.openstack.org
- logstash-worker15.openstack.org
- logstash-worker16.openstack.org
- logstash-worker17.openstack.org
- logstash-worker18.openstack.org
- logstash-worker19.openstack.org
- logstash-worker20.openstack.org
+elasticsearch_iptables_rule_data:
+- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch02.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch03.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch04.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch05.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch06.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch07.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker01.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker02.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker03.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker04.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker05.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker06.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker07.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker08.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker09.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker10.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker11.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker12.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker13.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker14.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker15.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker16.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker17.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker18.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker19.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker20.openstack.org'}
 logstash_iptables_rule_data:
 - {protocol: 'tcp', port: '4730', hostname: 'logstash-worker01.openstack.org'}
 - {protocol: 'tcp', port: '4730', hostname: 'logstash-worker02.openstack.org'}
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -6,7 +6,6 @@
 # passed around in test.sh
 #
 $elasticsearch_nodes = hiera_array('elasticsearch_nodes')
-$elasticsearch_clients = hiera_array('elasticsearch_clients')

 #
 # Default: should at least behave like an openstack server
@ -520,19 +519,13 @@ node /^subunit-worker\d+\.openstack\.org$/ {
 # Node-OS: xenial
 node /^elasticsearch0[1-7]\.openstack\.org$/ {
  $group = "elasticsearch"
-  $iptables_nodes_rule = regsubst ($elasticsearch_nodes,
-                                   '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 9200:9400 -s \1 -j ACCEPT')
-  $iptables_clients_rule = regsubst ($elasticsearch_clients,
-                                     '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 9200:9400 -s \1 -j ACCEPT')
-  $iptables_rule = flatten([$iptables_nodes_rule, $iptables_clients_rule])
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [22],
-    iptables_rules6           => $iptables_rule,
-    iptables_rules4           => $iptables_rule,
+    iptables_allowed_hosts    => hiera_array('elasticsearch_iptables_rule_data'),
    sysadmins                 => hiera('sysadmins', []),
  }
  class { 'openstack_project::elasticsearch_node':
-    discover_nodes        => $elasticsearch_nodes,
+    discover_nodes => $elasticsearch_nodes,
  }
 }