From 5f876310cefaa477911b855378908e4ad819743d Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Thu, 14 Dec 2017 13:16:12 -0800
Subject: [PATCH] Simplify elasticsearch firewall rules

Because we are no longer running elasticsearch daemons on
logstash-workers to perform indexing (and instead use http to the
elasticsearch cluster data nodes) and because kibana also speaks the
http API and doesn't join the cluster from logstash.openstack.org we
don't need to allow the full mesh of connectivity over ports 9200 to
9400.

Remove these unneeded firewall rules as the next step is converting to
the new dns resolving firewall rule builder parameter in
puppet-iptables.

Change-Id: If79bab6dc0b510c5589b83c943458e8580eb8092
---
 manifests/site.pp | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/manifests/site.pp b/manifests/site.pp
index 029f26a38a..91d4fa1f41 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -463,11 +463,8 @@ node /^wiki-dev\d+\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^logstash\d*\.openstack\.org$/ {
-  $iptables_es_rule = regsubst($elasticsearch_nodes,
-  '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 9200:9400 -s \1 -j ACCEPT')
-  $iptables_gm_rule = regsubst($logstash_gearman_clients,
+  $logstash_iptables_rule = regsubst($logstash_gearman_clients,
   '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 4730 -s \1 -j ACCEPT')
-  $logstash_iptables_rule = flatten([$iptables_es_rule, $iptables_gm_rule])
 
   class { 'openstack_project::server':
     iptables_public_tcp_ports => [22, 80, 3306],
@@ -493,14 +490,10 @@ node /^logstash\d*\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^logstash-worker\d+\.openstack\.org$/ {
-  $logstash_worker_iptables_rule = regsubst(flatten([$elasticsearch_nodes, $elasticsearch_clients]),
-  '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 9200:9400 -s \1 -j ACCEPT')
   $group = 'logstash-worker'
 
   class { 'openstack_project::server':
     iptables_public_tcp_ports => [22],
-    iptables_rules6           => $logstash_worker_iptables_rule,
-    iptables_rules4           => $logstash_worker_iptables_rule,
     sysadmins                 => hiera('sysadmins', []),
   }