Note
This feature is available starting from the MCP 2019.2.4 maintenance update. Before enabling the feature, follow the steps described in Apply maintenance updates.
To assure the confidentiality and integrity of the communication between Prometheus and Telegraf, Fluentd and Elasticsearch inside your MCP deployment, you can use cryptographic protective measures, such as the Transport Layer Security (TLS) protocol. In this case, Prometheus scrapes the data from Telegraf and Fluentd sends data to Elasticsearch or Elasticsearch VIP endpoint through encrypted channels. This section describes how to enable TLS v1.2 for an existing StackLight LMA deployment to provide message integrity with SHA384 MAC and RSA TLS certificate signature verification.
Warning
The functionality does not cover encryption of the traffic between HAProxy and Elasticsearch.
To enable TLS for StackLight LMA:
Open your project Git repository with Reclass model on the cluster level.
In infra/config/nodes.yml
, add the following classes to the
stacklight_log_node01
section:
stacklight_log_node01:
classes:
- system.elasticsearch.client.single
- system.kibana.client.single
- system.vnf_onboarding.common.kibana
- system.elasticsearch.client.ssl
- system.kibana.client.ssl
In infra/init.yml
, add the following classes:
- system.salt.minion.cert.fluentd_prometheus
- system.fluentd.label.default_metric.prometheus_ssl
- system.salt.minion.cert.telegraf_agent
- system.telegraf.agent.output.prometheus_client_ssl
In stacklight/init.yml
, specify the following parameter:
fluentd_elasticsearch_scheme: https
In stacklight/log.yml
:
Replace the system.haproxy.proxy.listen.stacklight.elasticsearch
class with the following one:
system.haproxy.proxy.listen.stacklight.elasticsearch_ssl
Add the following classes:
- system.kibana.server.ssl
- system.salt.minion.cert.elasticsearch
Log in to the Salt Master node.
Apply the following states one by one:
salt -C "I@salt:master" state.sls reclass
salt -C "I@salt:minion" state.sls salt.minion.cert
salt -C "I@salt:minion" state.sls salt.minion.grains
salt -C "I@salt:minion" mine.update
salt -C "I@fluentd:agent" state.sls fluentd
salt -C "I@docker:swarm:role:master and I@prometheus:server" state.sls prometheus.server
salt -C "I@elasticsearch:server" state.sls haproxy
salt -C "I@elasticsearch:server" state.sls elasticsearch.server
salt -C "I@kibana:server" state.sls kibana.server