Configure Kibana to use its own VIP

This change modifies the deployment manifests to use the Kibana VIP
address instead of the one allocated for Elasticsearch. It allows then
the deployer to expose the Kibana dashboard on the public network using
network templates if needed.

Change-Id: I8debb43e3e382a7319a70643116572a7e50cb246
DocImpact: document the Kibana VIP address
Implements-blueprint: kibana-grafana-public-ip-access
Depends-On: Icdf9315239a8fde8b0528f555a89adf0374c408f

deployment_scripts/puppet/manifests/haproxy.pp

@@ -19,24 +19,27 @@ $kibana_backend_port = hiera('lma::elasticsearch::apache_port')
 $kibana_backend_viewer_port = hiera('lma::elasticsearch::apache_viewer_port')
 $kibana_frontend_port = hiera('lma::elasticsearch::kibana_frontend_port')
 $kibana_frontend_viewer_port = hiera('lma::elasticsearch::kibana_frontend_viewer_port')
-$vip = hiera('lma::elasticsearch::vip')
+$es_vip = hiera('lma::elasticsearch::vip')
+$kibana_vip = hiera('lma::kibana::vip')
 
-$nodes_ips = hiera('lma::elasticsearch::nodes')
-$nodes_names = prefix(range(1, size($nodes_ips)), 'server_')
+$es_nodes_ips = hiera('lma::elasticsearch::nodes')
+$es_nodes_names = prefix(range(1, size($es_nodes_ips)), 'server_')
+$kibana_nodes_ips = hiera('lma::kibana::nodes')
+$kibana_nodes_names = prefix(range(1, size($kibana_nodes_ips)), 'server_')
 
 Openstack::Ha::Haproxy_service {
-  server_names        => $nodes_names,
-  ipaddresses         => $nodes_ips,
   public              => false,
   public_ssl          => false,
   internal            => true,
-  internal_virtual_ip => $vip,
 }
 
 $es_haproxy_service = hiera('lma::elasticsearch::es_haproxy_service')
 openstack::ha::haproxy_service { $es_haproxy_service:
   order                  => '920',
+  internal_virtual_ip    => $es_vip,
   listen_port            => $es_port,
+  server_names           => $es_nodes_names,
+  ipaddresses            => $es_nodes_ips,
   balancermember_port    => $es_port,
   balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3',
   haproxy_config_options => {
@@ -53,7 +56,10 @@ if $kibana_tls['enabled'] {
     order                  => '921',
     internal_ssl           => true,
     internal_ssl_path      => $kibana_tls['cert_file_path'],
+    internal_virtual_ip    => $kibana_vip,
     listen_port            => $kibana_frontend_port,
+    server_names           => $kibana_nodes_names,
+    ipaddresses            => $kibana_nodes_ips,
     balancermember_port    => $kibana_backend_port,
     balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3',
     haproxy_config_options => {
@@ -67,7 +73,10 @@ if $kibana_tls['enabled'] {
       order                  => '922',
       internal_ssl           => true,
       internal_ssl_path      => $kibana_tls['cert_file_path'],
+      internal_virtual_ip    => $kibana_vip,
       listen_port            => $kibana_frontend_viewer_port,
+      server_names           => $kibana_nodes_names,
+      ipaddresses            => $kibana_nodes_ips,
       balancermember_port    => $kibana_backend_viewer_port,
       balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3',
       haproxy_config_options => {
@@ -81,7 +90,10 @@ if $kibana_tls['enabled'] {
 } else {
   openstack::ha::haproxy_service { 'kibana':
     order                  => '921',
+    internal_virtual_ip    => $kibana_vip,
     listen_port            => $kibana_frontend_port,
+    server_names           => $kibana_nodes_names,
+    ipaddresses            => $kibana_nodes_ips,
     balancermember_port    => $kibana_backend_port,
     balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3',
     haproxy_config_options => {
@@ -93,7 +105,10 @@ if $kibana_tls['enabled'] {
   if $authnz['ldap_enabled'] and $authnz['ldap_authorization_enabled'] {
     openstack::ha::haproxy_service { 'kibana-viewer':
       order                  => '922',
+      internal_virtual_ip    => $kibana_vip,
       listen_port            => $kibana_frontend_viewer_port,
+      server_names           => $kibana_nodes_names,
+      ipaddresses            => $kibana_nodes_ips,
       balancermember_port    => $kibana_backend_viewer_port,
       balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3',
       haproxy_config_options => {

deployment_scripts/puppet/manifests/hiera_override.pp

@@ -21,7 +21,7 @@ prepare_network_config($network_scheme)
 
 $elasticsearch_kibana = hiera_hash('elasticsearch_kibana')
 $hiera_file           = '/etc/hiera/plugins/elasticsearch_kibana.yaml'
-$listen_address       = get_network_role_property('elasticsearch', 'ipaddr')
+$es_listen_address       = get_network_role_property('elasticsearch', 'ipaddr')
 $es_nodes             = get_nodes_hash_by_roles($network_metadata, ['elasticsearch_kibana', 'primary-elasticsearch_kibana'])
 $es_addresses_map     = get_node_to_ipaddr_map_by_network_role($es_nodes, 'elasticsearch')
 $es_ip_addresses      = sort(values($es_addresses_map))
@@ -29,7 +29,18 @@ $es_nodes_count       = count($es_nodes)
 if ! $network_metadata['vips']['es_vip_mgmt'] {
   fail('Elasticsearch VIP is not defined')
 }
-$vip = $network_metadata['vips']['es_vip_mgmt']['ipaddr']
+$elasticsearch_vip = $network_metadata['vips']['es_vip_mgmt']['ipaddr']
+
+# For security reasons (eg not exposing Kibana directly on the public network),
+# only the Kibana VIP should listen on the 'kibana' network and the Kibana
+# services themselves should listen on the 'elasticsearch' network which is an
+# equivalent of the management network for OpenStack.
+$kibana_listen_address = $es_listen_address
+$kibana_ip_addresses   = $es_ip_addresses
+if ! $network_metadata['vips']['kibana'] {
+  fail('Kibana VIP is not defined')
+}
+$kibana_vip = $network_metadata['vips']['kibana']['ipaddr']
 
 if is_integer($elasticsearch_kibana['number_of_replicas']) and $elasticsearch_kibana['number_of_replicas'] < $es_nodes_count {
   $number_of_replicas = 0 + $elasticsearch_kibana['number_of_replicas']
@@ -127,9 +138,9 @@ $calculated_content = inline_template('
 lma::corosync_roles:
     - primary-elasticsearch_kibana
     - elasticsearch_kibana
-lma::elasticsearch::vip: <%= @vip %>
+lma::elasticsearch::vip: <%= @elasticsearch_vip %>
 lma::elasticsearch::es_haproxy_service: elasticsearch-rest
-lma::elasticsearch::listen_address: <%= @listen_address%>
+lma::elasticsearch::listen_address: <%= @es_listen_address%>
 <% if @tls_enabled -%>
 lma::elasticsearch::kibana_frontend_port: 443
 lma::elasticsearch::kibana_frontend_viewer_port: 8443
@@ -158,6 +169,12 @@ lma::elasticsearch::jvm_size: <%= @elasticsearch_kibana["jvm_heap_size"] %>
 lma::elasticsearch::instance_name: <%= @instance_name %>
 lma::elasticsearch::node_name: "<%= @fqdn %>_es-01"
 lma::elasticsearch::cluster_name: lma
+lma::kibana::vip: <%= @kibana_vip %>
+lma::kibana::listen_address: <%= @kibana_listen_address%>
+lma::kibana::nodes:
+<% @kibana_ip_addresses.each do |x| -%>
+    - "<%= x %>"
+<% end -%>
 lma::kibana::tls:
     enabled: <%= @tls_enabled %>
 <% if @tls_enabled -%>

deployment_scripts/puppet/manifests/provision_services.pp

@@ -16,7 +16,8 @@ notice('fuel-plugin-elasticsearch-kibana: provision_services.pp')
 
 $deployment_id = hiera('deployment_id')
 $master_ip = hiera('master_ip')
-$vip = hiera('lma::elasticsearch::vip')
+$es_vip = hiera('lma::elasticsearch::vip')
+$kibana_vip = hiera('lma::kibana::vip')
 $kibana_viewer_port = hiera('lma::elasticsearch::kibana_frontend_viewer_port')
 $es_port = hiera('lma::elasticsearch::rest_port')
 $number_of_replicas = hiera('lma::elasticsearch::number_of_replicas')
@@ -33,14 +34,14 @@ if $kibana_tls['enabled'] {
   $kibana_hostname = $kibana_tls['hostname']
   if $two_links {
     $kibana_link_data = "{\"title\":\"Kibana (Admin role)\",\
-    \"description\":\"Dashboard for visualizing logs and notifications (${kibana_hostname}: ${protocol}://${vip})\",\
+    \"description\":\"Dashboard for visualizing logs and notifications (${kibana_hostname}: ${protocol}://${kibana_vip})\",\
     \"url\":\"${protocol}://${kibana_hostname}\"}"
     $kibana_link_viewer_data = "{\"title\":\"Kibana (Viewer role)\",\
-    \"description\":\"Dashboard for visualizing logs and notifications (${kibana_hostname}: ${protocol}://${vip}:${kibana_viewer_port})\",\
+    \"description\":\"Dashboard for visualizing logs and notifications (${kibana_hostname}: ${protocol}://${kibana_vip}:${kibana_viewer_port})\",\
     \"url\":\"${protocol}://${kibana_hostname}:${kibana_viewer_port}/\"}"
   } else {
     $kibana_link_data = "{\"title\":\"Kibana\",\
-    \"description\":\"Dashboard for visualizing logs and notifications (${kibana_hostname}: ${protocol}://${vip})\",\
+    \"description\":\"Dashboard for visualizing logs and notifications (${kibana_hostname}: ${protocol}://${kibana_vip})\",\
     \"url\":\"${protocol}://${kibana_hostname}\"}"
   }
 } else {
@@ -48,24 +49,24 @@ if $kibana_tls['enabled'] {
   if $two_links {
     $kibana_link_data = "{\"title\":\"Kibana (Admin role)\",\
     \"description\":\"Dashboard for visualizing logs and notifications\",\
-    \"url\":\"${protocol}://${vip}\"}"
+    \"url\":\"${protocol}://${kibana_vip}\"}"
     $kibana_link_viewer_data = "{\"title\":\"Kibana (Viewer role)\",\
     \"description\":\"Dashboard for visualizing logs and notifications\",\
-    \"url\":\"${protocol}://${vip}:${kibana_viewer_port}/\"}"
+    \"url\":\"${protocol}://${kibana_vip}:${kibana_viewer_port}/\"}"
   } else {
     $kibana_link_data = "{\"title\":\"Kibana\",\
     \"description\":\"Dashboard for visualizing logs and notifications\",\
-    \"url\":\"${protocol}://${vip}\"}"
+    \"url\":\"${protocol}://${kibana_vip}\"}"
   }
 }
 
 lma_logging_analytics::es_template { ['log', 'notification']:
   number_of_replicas => $number_of_replicas,
-  host               => $vip,
+  host               => $es_vip,
   port               => $es_port,
 } ->
 class { 'lma_logging_analytics::curator':
-  host             => $vip,
+  host             => $es_vip,
   port             => $es_port,
   retention_period => hiera('lma::elasticsearch::retention_period'),
   prefixes         => ['log', 'notification'],