Configure Application Gateway custom probe (#206)

This commit configures a custom probe for Application Gateway.
Custom probes now support status codes other than 200-399, so
configure the probe to also consider a 401 response as healthy.
This removes the need to configure anonymous access to the cluster
base path.

Looked at condesing both gateway resources into one, but Application Gateway validation does not allow an empty object for webApplicationFirewallConfiguration; it fails validation with

error: ApplicationGatewayFirewallCannotBeEnabledForSelectedSku : Application Gateway /subscriptions/<subscription id>/resourceGroups/<resource group>/providers/Microsoft.Network/applicationGateways/es-app-gateway does not support WebApplicationFirewall with the selected SKU tier Standard

Closes #201

src/loadbalancers/standard-application-gateway-resources.json

@@ -212,7 +212,12 @@
               "port": 9200,
               "protocol": "[parameters('applicationGatewaySettings').backendProtocol]",
               "cookieBasedAffinity": "Disabled",
-              "authenticationCertificates": "[variables('backendCerts')]"
+              "authenticationCertificates": "[variables('backendCerts')]",
+              "probeEnabled": true,
+              "probe": {
+                "id": "[concat(variables('applicationGatewayId'), '/probes/es-app-gateway-probe')]"
+              },
+              "requestTimeout": 86400
             }
           }
         ],
@@ -249,6 +254,23 @@
               }
             }
           }
+        ],
+        "probes": [
+          {
+            "name": "es-app-gateway-probe",
+            "properties": {
+              "protocol": "[parameters('applicationGatewaySettings').backendProtocol]",
+              "path": "/",
+              "host": "127.0.0.1",
+              "interval": 30,
+              "timeout": 30,
+              "unhealthyThreshold": 3,
+              "match": {
+                "statusCodes": ["200-399", "401"],
+                "body": ""
+              }
+            }
+          }
         ]
       }
     }

src/loadbalancers/waf-application-gateway-resources.json

@@ -48,11 +48,11 @@
       "No": []
     },
     "backendCerts": "[variables('backendCertsOpts')[if(empty(parameters('applicationGatewaySettings').backendCert), 'No', 'Yes')]]",
-    "wafEnabledOptions": {
+    "wafEnabledOpts": {
       "Enabled": true,
       "Disabled": false
     },
-    "wafEnabled": "[variables('wafEnabledOptions')[parameters('applicationGatewaySettings').firewallStatus]]"
+    "wafEnabled": "[variables('wafEnabledOpts')[parameters('applicationGatewaySettings').firewallStatus]]"
   },
   "resources": [
     {
@@ -217,7 +217,12 @@
               "port": 9200,
               "protocol": "[parameters('applicationGatewaySettings').backendProtocol]",
               "cookieBasedAffinity": "Disabled",
-              "authenticationCertificates": "[variables('backendCerts')]"
+              "authenticationCertificates": "[variables('backendCerts')]",
+              "probeEnabled": true,
+              "probe": {
+                "id": "[concat(variables('applicationGatewayId'), '/probes/es-app-gateway-probe')]"
+              },
+              "requestTimeout": 86400
             }
           }
         ],
@@ -260,7 +265,24 @@
           "ruleSetVersion": "3.0",
           "enabled": "[variables('wafEnabled')]",
           "firewallMode": "[parameters('applicationGatewaySettings').firewallMode]"
-        }
+        },
+        "probes": [
+          {
+            "name": "es-app-gateway-probe",
+            "properties": {
+              "protocol": "[parameters('applicationGatewaySettings').backendProtocol]",
+              "path": "/",
+              "host": "127.0.0.1",
+              "interval": 30,
+              "timeout": 30,
+              "unhealthyThreshold": 3,
+              "match": {
+                "statusCodes": ["200-399", "401"],
+                "body": ""
+              }
+            }
+          }
+        ]
       }
     }
   ],

src/mainTemplate.json

@@ -932,18 +932,8 @@
     "appGatewayCount": {
       "type": "int",
       "defaultValue": 2,
-      "allowedValues": [
-        1,
-        2,
-        3,
-        4,
-        5,
-        6,
-        7,
-        8,
-        9,
-        10
-      ],
+      "minValue": 1,
+      "maxValue": 10,
       "metadata": {
         "description": "The number of instances of the Application Gateway. A minimum of 2 is recommended for Production clusters. Required when selecting Application Gateway for load balancing"
       }
@@ -1599,8 +1589,7 @@
         "dataDisks": "[variables('resolvedDataDiskCount')]"
       },
       "dataLoadBalancerBackEndPools": "[variables('dataLoadBalancerOptions')[variables('clientResourceIndex')].backendPools]",
-      "loadBalancerBackEndPools": "[variables('lbBackEndPoolsAdded').backendPools]",
-      "enableAnonymousAccess": "[if(and(equals(parameters('loadBalancerType'), 'gateway'), equals(parameters('xpackPlugins'), 'Yes')), 'Yes', 'No')]"
+      "loadBalancerBackEndPools": "[variables('lbBackEndPoolsAdded').backendPools]"
     },
     "networkSettings": {
       "name": "[parameters('vNetName')]",

src/scripts/data-node-install.sh

@@ -28,7 +28,6 @@ help()
     echo "-R read password"
     echo "-K kibana user password"
     echo "-S logstash_system user password"
-    echo "-X enable anonymous access with monitoring role (for health probes)"
 
     echo "-l install plugins"
     echo "-L <plugin;plugin> install additional plugins"
@@ -93,7 +92,6 @@ USER_ADMIN_PWD="changeme"
 USER_READ_PWD="changeme"
 USER_KIBANA_PWD="changeme"
 BOOTSTRAP_PASSWORD="changeme"
-ANONYMOUS_ACCESS=0
 
 HTTP_CERT=""
 HTTP_CERT_PASSWORD=""
@@ -120,7 +118,7 @@ COUNTRY=""
 INSTALL_SWITCHES=""
 
 #Loop through options passed
-while getopts :n:m:v:A:R:K:S:Z:p:U:I:c:e:f:g:t:s:o:a:k:L:C:B:E:H:G:T:W:V:J:N:D:O:P:Xxyzldjh optname; do
+while getopts :n:m:v:A:R:K:S:Z:p:U:I:c:e:f:g:t:s:o:a:k:L:C:B:E:H:G:T:W:V:J:N:D:O:P:xyzldjh optname; do
   log "Option $optname set"
   case $optname in
     n) #set cluster name
@@ -147,9 +145,6 @@ while getopts :n:m:v:A:R:K:S:Z:p:U:I:c:e:f:g:t:s:o:a:k:L:C:B:E:H:G:T:W:V:J:N:D:O
     B) #bootstrap password
       BOOTSTRAP_PASSWORD="${OPTARG}"
       ;;
-    X) #anonymous access
-      ANONYMOUS_ACCESS=1
-      ;;
     Z) #number of data nodes hints (used to calculate minimum master nodes)
       DATANODE_COUNT=${OPTARG}
       ;;
@@ -274,10 +269,6 @@ if [ $INSTALL_XPACK -eq 1 ]; then
   INSTALL_SWITCHES="$INSTALL_SWITCHES -l"
 fi
 
-if [ $ANONYMOUS_ACCESS -eq 1 ]; then
-  INSTALL_SWITCHES="$INSTALL_SWITCHES -X"
-fi
-
 # install elasticsearch
 bash elasticsearch-ubuntu-install.sh -n "$CLUSTER_NAME" -m $ES_HEAP -v "$ES_VERSION" -A "$USER_ADMIN_PWD" -R "$USER_READ_PWD" -K "$USER_KIBANA_PWD" -S "$USER_LOGSTASH_PWD" -B "$BOOTSTRAP_PASSWORD" -Z "$DATANODE_COUNT" -p "$NAMESPACE_PREFIX" -a "$STORAGE_ACCOUNT" -k "$STORAGE_KEY" -E "$STORAGE_SUFFIX" -L "$INSTALL_ADDITIONAL_PLUGINS" -C "$YAML_CONFIGURATION" -H "$HTTP_CERT" -G "$HTTP_CERT_PASSWORD" -V "$HTTP_CACERT" -J "$HTTP_CACERT_PASSWORD" -T "$TRANSPORT_CACERT" -W "$TRANSPORT_CACERT_PASSWORD" -N "$TRANSPORT_CERT_PASSWORD" -D "$INTERNAL_LOADBALANCER_IP"  -O "$SAML_METADATA_URI" -P "$SAML_SP_URI" $INSTALL_SWITCHES
 EXIT_CODE=$?

src/scripts/elasticsearch-ubuntu-install.sh

@@ -119,7 +119,6 @@ USER_KIBANA_PWD="changeme"
 USER_LOGSTASH_PWD="changeme"
 BOOTSTRAP_PASSWORD="changeme"
 SEED_PASSWORD="changeme"
-ANONYMOUS_ACCESS=0
 
 INSTALL_AZURECLOUD_PLUGIN=0
 STORAGE_ACCOUNT=""
@@ -141,7 +140,7 @@ SAML_METADATA_URI=""
 SAML_SP_URI=""
 
 #Loop through options passed
-while getopts :n:m:v:A:R:K:S:Z:p:a:k:L:C:B:E:H:G:T:W:V:J:N:D:O:P:Xxyzldjh optname; do
+while getopts :n:m:v:A:R:K:S:Z:p:a:k:L:C:B:E:H:G:T:W:V:J:N:D:O:P:xyzldjh optname; do
   log "Option $optname set"
   case $optname in
     n) #set cluster name
@@ -168,9 +167,6 @@ while getopts :n:m:v:A:R:K:S:Z:p:a:k:L:C:B:E:H:G:T:W:V:J:N:D:O:P:Xxyzldjh optnam
     B) #bootstrap password
       BOOTSTRAP_PASSWORD="${OPTARG}"
       ;;
-    X) #anonymous access
-      ANONYMOUS_ACCESS=1
-      ;;
     Z) #number of data nodes hints (used to calculate minimum master nodes)
       DATANODE_COUNT=${OPTARG}
       ;;
@@ -605,21 +601,6 @@ apply_security_settings()
         exit 10
       fi
       log "[apply_security_settings] added es_read account"
-
-      # create an anonymous_user role
-      if [ ${ANONYMOUS_ACCESS} -ne 0 ]; then
-        log "[apply_security_settings] create anonymous_user role"
-        curl_ignore_409 -XPOST -u "elastic:$USER_ADMIN_PWD" "$XPACK_ROLE_ENDPOINT/anonymous_user" -d'
-        {
-          "cluster": [ "cluster:monitor/main" ]
-        }'
-        if [[ $? != 0 ]]; then
-          log "[apply_security_settings] could not create anonymous_user role"
-          exit 10
-        fi
-        log "[apply_security_settings] added anonymous_user role"
-      fi
-
       log "[apply_security_settings] updated roles and users"
     fi
 }
@@ -1028,21 +1009,6 @@ configure_elasticsearch_yaml()
         echo "xpack.security.enabled: true" >> $ES_CONF
     fi
 
-    # Configure Anonymous access
-    if [ ${ANONYMOUS_ACCESS} -ne 0 ]; then
-        log "[configure_elasticsearch_yaml] Set anonymous access"
-        {
-            echo -e ""
-            echo -e "# anonymous access"
-            echo -e "xpack.security.authc:"
-            echo -e "  anonymous:"
-            echo -e "    username: anonymous_user"
-            echo -e "    roles: anonymous_user"
-            echo -e "    authz_exception: false"
-            echo -e ""
-        } >> $ES_CONF
-    fi
-
     # Additional yaml configuration
     if [[ -n "$YAML_CONFIGURATION" ]]; then
         log "[configure_elasticsearch_yaml] include additional yaml configuration"

src/settings/ubuntuSettings.json

@@ -84,12 +84,7 @@
       "Yes": "l"
     },
     "installPluginsShortOpt": "[variables('installPluginsShortOpts')[parameters('esSettings').installPlugins]]",
-    "enableAnonymousAccessOpts": {
-      "No": "",
-      "Yes": "X"
-    },
-    "enableAnonymousAccessOpt": "[variables('enableAnonymousAccessOpts')[parameters('topologySettings').enableAnonymousAccess]]",
-    "commonShortOpts": "[concat(variables('dedicatedMasterNodesShortOpt'),  variables('installPluginsShortOpt'), variables('installAzureCloudPluginShortOpt'), variables('enableAnonymousAccessOpt'), 'n ')]",
+    "commonShortOpts": "[concat(variables('dedicatedMasterNodesShortOpt'),  variables('installPluginsShortOpt'), variables('installAzureCloudPluginShortOpt'), 'n ')]",
     "commonInstallParams": "[concat('\"', parameters('esSettings').clusterName, '\" -v \"', parameters('esSettings').version, '\" -m ', parameters('esSettings').heapSize,' -A \"', parameters('esSettings').securityAdminPwd, '\" -R \"', parameters('esSettings').securityReadPwd, '\" -K \"', parameters('esSettings').securityKibanaPwd, '\" -S \"', parameters('esSettings').securityLogstashPwd, '\" -B \"', parameters('esSettings').securityBootstrapPwd, '\" -Z ', parameters('topologySettings').vmDataNodeCount,' -p \"', variables('namespacePrefix'), '\" -a \"', parameters('azureCloudStorageAccount').name, '\" -k \"', parameters('azureCloudStorageAccount').key, '\" -E \"', parameters('azureCloudStorageAccount').suffix, '\" -L \"', parameters('esSettings').installAdditionalPlugins, '\" -C \"', replace(parameters('esSettings').yamlConfiguration, '\"', '\\\"'), '\" -D \"', parameters('topologySettings').vNetLoadBalancerIp, '\" -H \"', parameters('esSettings').httpCertBlob,'\" -G \"', parameters('esSettings').httpCertPassword, '\" -V \"', parameters('esSettings').httpCaCertBlob, '\" -J \"', parameters('esSettings').httpCaCertPassword, '\" -T \"', parameters('esSettings').transportCaCertBlob, '\" -W \"', parameters('esSettings').transportCaCertPassword, '\" -N \"', parameters('esSettings').transportCertPassword, '\" -O \"', parameters('esSettings').samlMetadataUri, '\" -P \"', variables('kibanaDomainName'), '\"')]",
     "ubuntuScripts": [
       "[concat(parameters('templateBaseUrl'), 'scripts/elasticsearch-ubuntu-install.sh')]",