1. Home
  2. MCP Operations Guide
  3. StackLight LMA operations
  4. Add new features to an existing StackLight LMA deployment
  5. Enable TLS for StackLight LMA

Enable TLS for StackLight LMA

Enable TLS for StackLight LMAΒΆ

Note

This feature is available starting from the MCP 2019.2.4 maintenance update. Before enabling the feature, follow the steps described in Apply maintenance updates.

To assure the confidentiality and integrity of the communication between Prometheus and Telegraf, Fluentd and Elasticsearch inside your MCP deployment, you can use cryptographic protective measures, such as the Transport Layer Security (TLS) protocol. In this case, Prometheus scrapes the data from Telegraf and Fluentd sends data to Elasticsearch or Elasticsearch VIP endpoint through encrypted channels. This section describes how to enable TLS v1.2 for an existing StackLight LMA deployment to provide message integrity with SHA384 MAC and RSA TLS certificate signature verification.

Warning

The functionality does not cover encryption of the traffic between HAProxy and Elasticsearch.

To enable TLS for StackLight LMA:

  1. Open your project Git repository with Reclass model on the cluster level.

  2. In infra/config/nodes.yml, add the following classes to the stacklight_log_node01 section:

    stacklight_log_node01:
  classes:
  - system.elasticsearch.client.single
  - system.kibana.client.single
  - system.vnf_onboarding.common.kibana
  - system.elasticsearch.client.ssl
  - system.kibana.client.ssl

  3. In infra/init.yml, add the following classes:

    - system.salt.minion.cert.fluentd_prometheus
- system.fluentd.label.default_metric.prometheus_ssl
- system.salt.minion.cert.telegraf_agent
- system.telegraf.agent.output.prometheus_client_ssl

  4. In stacklight/init.yml, specify the following parameter:

    fluentd_elasticsearch_scheme: https

  5. In stacklight/log.yml:

    1. Replace the system.haproxy.proxy.listen.stacklight.elasticsearch class with the following one:

      system.haproxy.proxy.listen.stacklight.elasticsearch_ssl

    2. Add the following classes:

      - system.kibana.server.ssl
- system.salt.minion.cert.elasticsearch

  6. Log in to the Salt Master node.

  7. Apply the following states one by one:

    salt -C "I@salt:master" state.sls reclass
salt -C "I@salt:minion" state.sls salt.minion.cert
salt -C "I@salt:minion" state.sls salt.minion.grains
salt -C "I@salt:minion" mine.update
salt -C "I@fluentd:agent" state.sls fluentd
salt -C "I@docker:swarm:role:master and I@prometheus:server" state.sls prometheus.server
salt -C "I@elasticsearch:server" state.sls haproxy
salt -C "I@elasticsearch:server"  state.sls elasticsearch.server
salt -C "I@kibana:server" state.sls kibana.server
updated: 2024-01-04 11:47