OS-capacity exporter should not be exposed

The os-capacity exporter has access to admin cloud credentials and
provides details of current utilisation for all OpenStack tenancies.
Currently this exporter binds to all interfaces on hosts where it
is deployed, which may lead to leakage of potentially important
data on an unauthenticated port.

Bind the exporter only to the Internal API network, from where it
is usually scraped.

Signed-off-by: Stig Telfer <stig@stackhpc.com>

Author: oneswig

etc/kayobe/ansible/deployment/deploy-os-capacity-exporter.yml

@@ -66,6 +66,7 @@
             env:
               OS_CLOUD: openstack
               OS_CLIENT_CONFIG_FILE: /etc/openstack/clouds.yaml
+              OS_CAPACITY_EXPORTER_LISTEN_ADDRESS: "{{ internal_net_name | net_ip }}"
             mounts:
               - type: bind
                 source: /opt/kayobe/os-capacity/