Enable TLS for StackLight LMA

Enable TLS for StackLight LMA

Note

This feature is available starting from the MCP 2019.2.4 maintenance update. Before enabling the feature, follow the steps described in Apply maintenance updates.

To assure the confidentiality and integrity of the communication between Prometheus and Telegraf, Fluentd and Elasticsearch inside your MCP deployment, you can use cryptographic protective measures, such as the Transport Layer Security (TLS) protocol. In this case, Prometheus scrapes the data from Telegraf and Fluentd sends data to Elasticsearch or Elasticsearch VIP endpoint through encrypted channels. This section describes how to enable TLS v1.2 for an existing StackLight LMA deployment to provide message integrity with SHA384 MAC and RSA TLS certificate signature verification.

Warning

The functionality does not cover encryption of the traffic between HAProxy and Elasticsearch.

To enable TLS for StackLight LMA:

  1. Open your project Git repository with Reclass model on the cluster level.

  2. In infra/config/nodes.yml, add the following classes to the stacklight_log_node01 section:

    stacklight_log_node01:
      classes:
      - system.elasticsearch.client.single
      - system.kibana.client.single
      - system.vnf_onboarding.common.kibana
      - system.elasticsearch.client.ssl
      - system.kibana.client.ssl
    
  3. In infra/init.yml, add the following classes:

    - system.salt.minion.cert.fluentd_prometheus
    - system.fluentd.label.default_metric.prometheus_ssl
    - system.salt.minion.cert.telegraf_agent
    - system.telegraf.agent.output.prometheus_client_ssl
    
  4. In stacklight/init.yml, specify the following parameter:

    fluentd_elasticsearch_scheme: https
    
  5. In stacklight/log.yml:

    1. Replace the system.haproxy.proxy.listen.stacklight.elasticsearch class with the following one:

      system.haproxy.proxy.listen.stacklight.elasticsearch_ssl
      
    2. Add the following classes:

      - system.kibana.server.ssl
      - system.salt.minion.cert.elasticsearch
      
  6. Log in to the Salt Master node.

  7. Apply the following states one by one:

    salt -C "I@salt:master" state.sls reclass
    salt -C "I@salt:minion" state.sls salt.minion.cert
    salt -C "I@salt:minion" state.sls salt.minion.grains
    salt -C "I@salt:minion" mine.update
    salt -C "I@fluentd:agent" state.sls fluentd
    salt -C "I@docker:swarm:role:master and I@prometheus:server" state.sls prometheus.server
    salt -C "I@elasticsearch:server" state.sls haproxy
    salt -C "I@elasticsearch:server"  state.sls elasticsearch.server
    salt -C "I@kibana:server" state.sls kibana.server