From e99506b030deeb99f2b52dc58597a8b02f1f5b2d Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Thu, 14 Dec 2017 14:09:05 -0800
Subject: [PATCH] Update elasticsearch firewall rules

This converts the config for elasticsearch cluster client firewall rules
to use the new puppet-iptables iptables_allowed_hosts feature. This works
around an issue with netfilter-persistent starting before dns
resolution is working on boot.

Change-Id: I81b7598cb32d498b219ee00f0589e6bf0dc8c242
---
 hiera/common.yaml | 50 ++++++++++++++++++++++++++---------------------
 manifests/site.pp | 11 ++---------
 2 files changed, 30 insertions(+), 31 deletions(-)

diff --git a/hiera/common.yaml b/hiera/common.yaml
index 586dcf4e41..34d0cb3cc3 100644
--- a/hiera/common.yaml
+++ b/hiera/common.yaml
@@ -6,28 +6,34 @@ elasticsearch_nodes:
 - elasticsearch05.openstack.org
 - elasticsearch06.openstack.org
 - elasticsearch07.openstack.org
-elasticsearch_clients:
-- logstash.openstack.org
-- logstash-worker01.openstack.org
-- logstash-worker02.openstack.org
-- logstash-worker03.openstack.org
-- logstash-worker04.openstack.org
-- logstash-worker05.openstack.org
-- logstash-worker06.openstack.org
-- logstash-worker07.openstack.org
-- logstash-worker08.openstack.org
-- logstash-worker09.openstack.org
-- logstash-worker10.openstack.org
-- logstash-worker11.openstack.org
-- logstash-worker12.openstack.org
-- logstash-worker13.openstack.org
-- logstash-worker14.openstack.org
-- logstash-worker15.openstack.org
-- logstash-worker16.openstack.org
-- logstash-worker17.openstack.org
-- logstash-worker18.openstack.org
-- logstash-worker19.openstack.org
-- logstash-worker20.openstack.org
+elasticsearch_iptables_rule_data:
+- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch02.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch03.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch04.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch05.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch06.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch07.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker01.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker02.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker03.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker04.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker05.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker06.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker07.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker08.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker09.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker10.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker11.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker12.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker13.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker14.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker15.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker16.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker17.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker18.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker19.openstack.org'}
+- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker20.openstack.org'}
 logstash_iptables_rule_data:
 - {protocol: 'tcp', port: '4730', hostname: 'logstash-worker01.openstack.org'}
 - {protocol: 'tcp', port: '4730', hostname: 'logstash-worker02.openstack.org'}
diff --git a/manifests/site.pp b/manifests/site.pp
index 44e69c120c..b5843be581 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -6,7 +6,6 @@
 # passed around in test.sh
 #
 $elasticsearch_nodes = hiera_array('elasticsearch_nodes')
-$elasticsearch_clients = hiera_array('elasticsearch_clients')
 
 #
 # Default: should at least behave like an openstack server
@@ -520,19 +519,13 @@ node /^subunit-worker\d+\.openstack\.org$/ {
 # Node-OS: xenial
 node /^elasticsearch0[1-7]\.openstack\.org$/ {
   $group = "elasticsearch"
-  $iptables_nodes_rule = regsubst ($elasticsearch_nodes,
-                                   '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 9200:9400 -s \1 -j ACCEPT')
-  $iptables_clients_rule = regsubst ($elasticsearch_clients,
-                                     '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 9200:9400 -s \1 -j ACCEPT')
-  $iptables_rule = flatten([$iptables_nodes_rule, $iptables_clients_rule])
   class { 'openstack_project::server':
     iptables_public_tcp_ports => [22],
-    iptables_rules6           => $iptables_rule,
-    iptables_rules4           => $iptables_rule,
+    iptables_allowed_hosts    => hiera_array('elasticsearch_iptables_rule_data'),
     sysadmins                 => hiera('sysadmins', []),
   }
   class { 'openstack_project::elasticsearch_node':
-    discover_nodes        => $elasticsearch_nodes,
+    discover_nodes => $elasticsearch_nodes,
   }
 }