Re-add ELK deployment including bootstrapper

Change-Id: Iedac481e593c1f0df8ae9d5d5af20fb280992e94

continuous_cacert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDzTCCArWgAwIBAgIJAMjKv/sJrt0JMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
+BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwLU2FuIEFudG9uaW8xCzAJ
+BgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91cy5wdzEfMB0GA1UdEQwW
+SVAuMT1vc2EuY29udGludW91cy5wdzAeFw0xODAzMDIxNTM1NDZaFw0yODAyMjgx
+NTM1NDZaMH0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwL
+U2FuIEFudG9uaW8xCzAJBgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91
+cy5wdzEfMB0GA1UdEQwWSVAuMT1vc2EuY29udGludW91cy5wdzCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBANjzeNQOfZPLWEYXcyn4htcjli6QCT8FKU8I
+edvaPDEjefcdBmD2f49bc8RRqbB8cje/B6vAAeBfXoQKoh5HQ/rec1S2aSQsYObl
+ecaQTYKVVVUsAhbsmLf39rpqIhmKKA+qZCAJPsdtUQ2fTfwNnF2+9XhZ40LsZDse
+cCCtwM3sKq5OymZ1JsHKMp1FEJINDAiV1aekmNjoaOeCCbuEgKKiniGJ7iVp18x8
+80tGUwFq2gXrlmzYQntA80vN9MtWgnkn5KACVvE3vLpzPyKRsn5htsedmccNWGa5
+eQHgAIoaP1AI57ryZHOFQxebWCWanxm19RdekyhTeqsGSso70b8CAwEAAaNQME4w
+HQYDVR0OBBYEFHHOdo0iyJbl15Q3/61oYMMAGLH1MB8GA1UdIwQYMBaAFHHOdo0i
+yJbl15Q3/61oYMMAGLH1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
+AAFh2mLQmGePooS/OoDNfeTORVSmq3u+l/F+5XGSSXjujY3tkl8AvXhvwVRKYFkE
+y8viOR8yTvT6kyA7jQ2Fe2g0CVK+TyxpFiXQgCxISN9zAM/E2mGiM4FXqkrkl6vs
+XacpMa7FAr1ZCp//rWT8NDPPMdq1L5BO4BEpE1tseaJSRv8SWztLpQZUic4YgvN2
+HKnG4qpuA90nrDL30uB/dQxcVad4lG9f2vXYgbjg6QMyY1s4VVd3v9w+do8GLeia
+ddlRJ6Pnmk26Kgs/0WoVVBNYVUrdo+Hk0k2BpO0/Yk+0+rz8wa+Ee4vAA3M4xT1p
+NhQjSPoo+M+vDa6hxK8/Z/c=
+-----END CERTIFICATE-----

elk_bootstrap/bootstrap-elk-infra.yml

@@ -0,0 +1,185 @@
+---
+
+- name: Bootstrap ELK project
+  hosts: "{{ openstack_service_setup_host | default('localhost') }}"
+  vars_files:
+    - vars/elk.yml
+  pre_tasks:
+    - name: Set ansible_python_interpreter
+      set_fact:
+        ansible_python_interpreter: >-
+          {{ openstack_service_setup_host_python_interpreter |
+            default((inventory_hostname == 'localhost') |
+                    ternary(ansible_playbook_python,
+                            ansible_python['executable'])) }}
+    - name: Install openstacksdk
+      pip:
+        name: openstacksdk
+        state: latest
+  tasks:
+    - name: Create ELK project
+      os_project:
+        cloud: default
+        endpoint_type: internal
+        name: "{{ elk_bootstrap_auth.project_name }}"
+        domain: "{{ elk_bootstrap_auth.project_domain_id }}"
+        description: ELK stack
+        region_name: "{{ elk_region_name }}"
+    - name: Create ELK user
+      os_user:
+        cloud: default
+        endpoint_type: internal
+        description: ELK Ansible Management user
+        name: "{{ elk_bootstrap_auth.username }}"
+        password: "{{ elk_bootstrap_auth.password }}"
+        domain: "{{ elk_bootstrap_auth.user_domain_id }}"
+        region_name: "{{ elk_region_name }}"
+        default_project: "{{ elk_bootstrap_auth.project_name }}"
+    - name: Add ELK user to project
+      os_user_role:
+        cloud: default
+        endpoint_type: internal
+        user: "{{ elk_bootstrap_auth.username }}"
+        project: "{{ elk_bootstrap_auth.project_name }}"
+        role: '_member_'
+# NOTE(logan): os_project_access was not added until ansible 2.5, so this
+# cannot be used until OSA is upgraded to Rocky. Until then the flavor must
+# be bootstrapped manually.
+#    - name: Create ELK flavor
+#      os_nova_flavor:
+#        cloud: default
+#        endpoint_type: internal
+#        name: "{{ elk_flavor.name }}"
+#        is_public: "{{ elk_flavor.public | bool }}"
+#        vcpus: "{{ elk_flavor.vcpus }}"
+#        ram: "{{ elk_flavor.ram }}"
+#        disk: "{{ elk_flavor.disk }}"
+#    - name: Add ELK user access to flavor
+#      os_project_access:
+#        cloud: default
+#        endpoint_type: internal
+#        target_project_id: "{{ elk_bootstrap_auth.project_name }}"
+#        resource_type: nova_flavor
+#        resource_name: "{{ elk_flavor.name }}"
+
+- name: Bootstrap ELK Infrastructure
+  hosts: localhost
+  gather_facts: no
+  vars_files:
+    - vars/elk.yml
+  pre_tasks:
+    - name: Install openstacksdk
+      pip:
+        name: openstacksdk
+  tasks:
+    - name: Create SSH keypair
+      os_keypair:
+        auth: "{{ elk_bootstrap_auth }}"
+        cacert: "{{ playbook_dir }}/../continuous_cacert.pem"
+        name: ELK-ansible
+        public_key_file: "{{ playbook_dir }}/../ssh/id_rsa.pub"
+    - name: Create All Traffic security group
+      os_security_group:
+        auth: "{{ elk_bootstrap_auth }}"
+        cacert: "{{ playbook_dir }}/../continuous_cacert.pem"
+        name: All Traffic
+        description: Pass all traffic
+    - name: Add All Traffic security group rules
+      os_security_group_rule:
+        auth: "{{ elk_bootstrap_auth }}"
+        cacert: "{{ playbook_dir }}/../continuous_cacert.pem"
+        security_group: All Traffic
+        direction: "{{ item.direction }}"
+        ethertype: "{{ item.ethertype }}"
+      with_items:
+        - direction: ingress
+          ethertype: IPv4
+        - direction: ingress
+          ethertype: IPv6
+        - direction: egress
+          ethertype: IPv4
+        - direction: egress
+          ethertype: IPv6
+    - name: Create ELK anti-affinity group
+      os_server_group:
+        auth: "{{ elk_bootstrap_auth }}"
+        cacert: "{{ playbook_dir }}/../continuous_cacert.pem"
+        name: "{{ elk_server_group }}"
+        policies:
+          - anti-affinity
+      register: server_group
+    - name: Create ELK instances
+      os_server:
+        auth: "{{ elk_bootstrap_auth }}"
+        cacert: "{{ playbook_dir }}/../continuous_cacert.pem"
+        name: "{{ item.name }}"
+        scheduler_hints:
+          group: "{{ server_group.id }}"
+        image: "{{ item.image }}"
+        key_name: "{{ item.key_name }}"
+        flavor: "{{ item.flavor }}"
+        network: "{{ item.network }}"
+        security_groups: "{{ item.security_groups }}"
+      with_items: "{{ elk_instances }}"
+      register: elk_instances_create
+    - name: Create ELK volumes
+      os_volume:
+        auth: "{{ elk_bootstrap_auth }}"
+        cacert: "{{ playbook_dir }}/../continuous_cacert.pem"
+        display_name: "{{ item.0.name }}_{{ item.1.name }}"
+        size: "{{ item.1.size }}"
+      with_subelements:
+        - "{{ elk_instances }}"
+        - volumes
+      # NOTE(logan): New syntax for ansible 2.5
+      # loop: "{{ lookup('subelements', elk_instances, 'volumes', {'skip_missing': True}, wantlist=True) }}"
+    - name: Attach volume to ELK instance
+      os_server_volume:
+        auth: "{{ elk_bootstrap_auth }}"
+        cacert: "{{ playbook_dir }}/../continuous_cacert.pem"
+        server: "{{ item.0.name }}"
+        volume: "{{ item.0.name }}_{{ item.1.name }}"
+      with_subelements:
+        - "{{ elk_instances }}"
+        - volumes
+      # NOTE(logan): New syntax for ansible 2.5
+      # loop: "{{ lookup('subelements', elk_instances, 'volumes', {'skip_missing': True}, wantlist=True) }}"
+    - name: Add the hosts to the inventory
+      add_host:
+        name: "{{ item.openstack.name }}"
+        groups: elk_hosts
+        ansible_host: "{{ item.openstack.public_v4 }}"
+        ansible_user: ubuntu
+        ansible_become: true
+      with_items: "{{ elk_instances_create.results }}"
+      delegate_to: localhost
+    - name: Build the ansible ELK inventory file
+      template:
+        src: inventory.yml.j2
+        dest: "{{ playbook_dir }}/inventory/elk_hosts.yml"
+
+- import_playbook: "{{ playbook_dir }}/../openstack-ansible/playbooks/openstack-hosts-setup.yml"
+  vars:
+    openstack_host_group: elk_hosts
+- import_playbook: "{{ playbook_dir }}/../openstack-ansible/playbooks/security-hardening.yml"
+  vars:
+    security_host_group: elk_hosts
+- import_playbook: "{{ playbook_dir }}/../openstack-ansible/playbooks/haproxy-install.yml"
+  vars:
+    haproxy_default_services:
+      - service:
+          haproxy_service_name: elasticsearch
+          haproxy_backend_nodes: "{{ groups['elk_hosts'] | default([]) }}"
+          haproxy_ssl: True
+          haproxy_port: 9201
+          haproxy_backend_port: 9200
+          haproxy_balance_type: http
+          haproxy_backend_options:
+            - "httpchk"
+      - service:
+          haproxy_service_name: kibana_ssl
+          haproxy_backend_nodes: "{{ groups['elk_hosts'] | default([]) }}"
+          haproxy_ssl: True
+          haproxy_port: 8443
+          haproxy_backend_port: 81
+          haproxy_balance_type: tcp

elk_bootstrap/inventory/groups.yml

@@ -0,0 +1,13 @@
+---
+
+all:
+  children:
+    apm-server:
+      children:
+        ? elk_hosts
+    elastic-logstash:
+      children:
+        ? elk_hosts
+    kibana:
+      children:
+        ? elk_hosts

elk_bootstrap/templates/inventory.yml.j2

@@ -0,0 +1,18 @@
+---
+# {{ ansible_managed }}
+
+all:
+  children:
+    hosts:
+      children:
+        elk_hosts:
+          vars:
+            physical_host: "{% raw %}{{ inventory_hostname }}{% endraw %}"
+            ansible_python_interpreter: /usr/bin/python3
+          hosts:
+{% for host in groups['elk_hosts'] %}
+            {{ host }}:
+              ansible_host: "{{ hostvars[host]['ansible_host'] }}"
+              ansible_user: "{{ hostvars[host]['ansible_user'] }}"
+              ansible_become: {{ hostvars[host]['ansible_become'] | bool }}
+{% endfor %}

elk_bootstrap/vars/elk.yml

@@ -0,0 +1,42 @@
+---
+
+elk_bootstrap_auth:
+  auth_url: "https://{{ external_lb_vip_address }}:5000/v3"
+  project_name: ELK
+  username: elk-ansible
+  password: !vault |
+    $ANSIBLE_VAULT;1.1;AES256
+    37306132646537343266396632373832373637633230383334356335303666663134633531393433
+    3166653761356366366365323463656461666237633130330a363937383639613931306365646364
+    62616634353463333364323635653937623734376331393064326533376634336335343566353437
+    3236326435643735630a633833643663643961626365396464633638303932613562376463323332
+    36326135636464656435376633376333613462363263393738613331643466643433
+  user_domain_id: default
+  project_domain_id: default
+
+elk_region_name: RegionOne
+
+elk_flavor:
+  name: elk
+  public: no
+  vcpus: 8
+  ram: 16384
+  disk: 25
+
+elk_instance_template:
+  image: 'ubuntu 18.04 [20180618]'
+  key_name: ELK-ansible
+  flavor: "{{ elk_flavor.name }}"
+  network: Gateway Network
+  security_groups:
+    - All Traffic
+  volumes:
+    - name: data
+      size: 1024
+
+elk_server_group: elk
+
+elk_instances:
+  - "{{ elk_instance_template | combine({'name': 'elk1-1'}) }}"
+  - "{{ elk_instance_template | combine({'name': 'elk1-2'}) }}"
+  - "{{ elk_instance_template | combine({'name': 'elk1-3'}) }}"

openstack_deploy/user_variables.yml

@@ -152,22 +152,3 @@ ironic_api_uwsgi_ini_overrides:
 magnum_api_uwsgi_ini_overrides:
   uwsgi:
     stats: "/tmp/magnum-api-uwsgi-stats.sock"
-
-# Adding elastic search and kibana to haproxy_extra_services
-haproxy_extra_services:
-  - service:
-      haproxy_service_name: elasticsearch
-      haproxy_backend_nodes: "{{ groups['elastic-logstash'] | default([]) }}"
-      haproxy_ssl: True
-      haproxy_port: 9201
-      haproxy_backend_port: 9200
-      haproxy_balance_type: http
-      haproxy_backend_options:
-        - "httpchk"
-  - service:
-      haproxy_service_name: kibana_ssl
-      haproxy_backend_nodes: "{{ groups['kibana'] | default([]) }}"
-      haproxy_ssl: True
-      haproxy_port: 8443
-      haproxy_backend_port: 81
-      haproxy_balance_type: tcp

scripts/run_deploy.sh

@@ -20,3 +20,16 @@ popd
 pushd ${PROJECT_PATH}/network_bootstrap
 openstack-ansible bootstrap-neutron.yml
 popd
+
+pushd ${PROJECT_PATH}/elk_bootstrap
+openstack-ansible bootstrap-elk-infra.yml
+popd
+
+pushd ${PROJECT_PATH}/openstack-ansible-ops/elk_metrics_6x
+source bootstrap-embedded-ansible.sh || true
+# Workaround until https://review.openstack.org/#/c/643758/ is merged
+export ANSILE_STRATEGY_PLUGINS="${HOME}/ansible_venv/repositories/roles/plugins/strategy"
+export ANSIBLE_INVENTORY="${ANSIBLE_INVENTORY},${PROJECT_PATH}/elk_bootstrap/inventory"
+ansible-playbook site.yml ${USER_VARS} -e 'elk_package_state="latest"'
+deactivate
+popd