This repository has been archived by the owner on Sep 12, 2023. It is now read-only.
forked from CogStack/CogStack-NiFi
-
Notifications
You must be signed in to change notification settings - Fork 0
/
es_native_cert_generator.sh
195 lines (155 loc) · 5.2 KB
/
es_native_cert_generator.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
#!/bin/bash
set -e
if [[ -z "${ES_CERTIFICATE_PASSWORD}" ]]; then
ES_CERTIFICATE_PASSWORD="cogstackNifi"
echo "ES_CERTIFICATE_PASSWORD not set, defaulting to ES_CERTIFICATE_PASSWORD=cogstackNifi"
else
ES_CERTIFICATE_PASSWORD=${ES_CERTIFICATE_PASSWORD}
fi
if [[ -z "${ES_CERTIFICATE_TIME_VAILIDITY_IN_DAYS}" ]]; then
ES_CERTIFICATE_TIME_VAILIDITY_IN_DAYS=730
echo "ES_CERTIFICATE_TIME_VAILIDITY_IN_DAYS not set, defaulting to ES_CERTIFICATE_TIME_VAILIDITY_IN_DAYS=730"
fi
# Set this variable in order to add more ES_HOSTNAMES to the dns approved instances
# the syntax must be : export ES_HOSTNAMES="- example1.com
#- example2.com
#- example3.com
#"
# EXACTLY IN THIS FORMAT(no extra chars at the start of the line), otherwise you will get parse errors.
if [[ -z "${ES_HOSTNAMES}" ]]; then
echo "ES_HOSTNAMES env var not set, defaulting to ''"
ES_HOSTNAMES=""
else
ES_HOSTNAMES=$(printf '%s %s \\n ' ${ES_HOSTNAMES})
fi
# es instances names, domain names of the servers (if ES servers are separate) or docker containers names (if run locally on the same machine)
# Example:
# - if running on clusters separate servers:
# ES_INSTANCE_NAME_1=es-server01
# ES_INSTANCE_NAME_2=es-server02
# - if running them on the same server (put the container names):
# ES_INSTANCE_NAME_1=elasticsearch-1
# ES_INSTANCE_NAME_2=elasticsearch-2
if [[ -z "${ES_INSTANCE_NAME_1}" ]]; then
echo "ES_INSTANCE_NAME_1 env var not set, defaulting to 'elasticsearch-1'"
ES_INSTANCE_NAME_1="elasticsearch-1"
else
ES_INSTANCE_NAME_1="${ES_INSTANCE_NAME_1}"
fi
if [[ -z "${ES_INSTANCE_NAME_2}" ]]; then
echo "ES_INSTANCE_NAME_2 env var not set, defaulting to 'elasticsearch-2'"
ES_INSTANCE_NAME_2="elasticsearch-2"
else
ES_INSTANCE_NAME_2="${ES_INSTANCE_NAME_2}"
fi
if [[ -z "${ES_INSTANCE_NAME_3}" ]]; then
echo "ES_INSTANCE_NAME_3 env var not set, defaulting to 'elasticsearch-3'"
ES_INSTANCE_NAME_3="elasticsearch-3"
else
ES_INSTANCE_NAME_3="${ES_INSTANCE_NAME_3}"
fi
echo -ne "
instances:
- name: $ES_INSTANCE_NAME_1
dns:
- $ES_INSTANCE_NAME_1
- es01
- localhost
$ES_HOSTNAMES
ip:
- 127.0.0.1
- name: $ES_INSTANCE_NAME_2
dns:
- $ES_INSTANCE_NAME_2
- es02
- localhost
$ES_HOSTNAMES
ip:
- 127.0.0.1
- name: $ES_INSTANCE_NAME_3
dns:
- $ES_INSTANCE_NAME_3
- es02
- localhost
$ES_HOSTNAMES
ip:
- 127.0.0.1
" > config/certificates/instances.yml
if [[ ! -f /certs/es_native_ca_bundle.zip ]]; then
echo "Generating root-ca certificates for native ES"
bin/elasticsearch-certutil ca --silent --days $CERTIFICATE_TIME_VAILIDITY_IN_DAYS --out /certs/elastic-stack-ca.p12 --pass $ES_CERTIFICATE_PASSWORD<<<$ES_CERTIFICATE_PASSWORD
bin/elasticsearch-certutil cert --silent --ca /certs/elastic-stack-ca.p12 --pass $ES_CERTIFICATE_PASSWORD<<<""$ES_CERTIFICATE_PASSWORD"
"
# the above blank line is to avoid answering prompt, don't delete it
fi;
if [[ ! -f /certs/es_native_certs_bundle.zip ]]; then
echo "Generating CSR certficates for ES clusters"
bin/elasticsearch-certutil cert --silent --out /certs/es_native_certs_bundle.zip --in config/certificates/instances.yml --days $CERTIFICATE_TIME_VAILIDITY_IN_DAYS --ca /certs/elastic-stack-ca.p12<< EOF
$ES_CERTIFICATE_PASSWORD
$ES_CERTIFICATE_PASSWORD
$ES_CERTIFICATE_PASSWORD
$ES_CERTIFICATE_PASSWORD
EOF
fi;
if [[ ! -f /certs/es_native_certs_bundle_pem.zip ]]; then
echo "Generating PEM certficates for ES clusters"
bin/elasticsearch-certutil cert --pem --silent --out /certs/es_native_certs_bundle_pem.zip --in config/certificates/instances.yml --days $CERTIFICATE_TIME_VAILIDITY_IN_DAYS --ca /certs/elastic-stack-ca.p12<< EOF
$ES_CERTIFICATE_PASSWORD
$ES_CERTIFICATE_PASSWORD
$ES_CERTIFICATE_PASSWORD
$ES_CERTIFICATE_PASSWORD
EOF
fi;
unzip /certs/es_native_certs_bundle_pem.zip -d /certs/elasticsearch
unzip /certs/es_native_certs_bundle.zip -d /certs/elasticsearch
echo "------------------------------------------------"
echo "------------------------------------------------"
bin/elasticsearch-certutil --silent http<<<"y
y
$ES_INSTANCE_NAME_1
localhost
$ES_INSTANCE_NAME_1
$ES_INSTANCE_NAME_2
$ES_INSTANCE_NAME_3
cogstack*
es01
es02
0.0.0.0
n
y
$ES_INSTANCE_NAME_2
localhost
$ES_INSTANCE_NAME_1
$ES_INSTANCE_NAME_2
$ES_INSTANCE_NAME_3
cogstack*
es01
es02
0.0.0.0
n
y
$ES_INSTANCE_NAME_3
localhost
$ES_INSTANCE_NAME_1
$ES_INSTANCE_NAME_2
$ES_INSTANCE_NAME_3
cogstack*
es01
es02
0.0.0.0
n
n
$ES_CERTIFICATE_PASSWORD
$ES_CERTIFICATE_PASSWORD
/certs/elasticsearch-ssl-http.zip
"
unzip /certs/elasticsearch-ssl-http.zip -d /certs;
echo "Setting file permissions"
chown -R root:root /certs;
find /certs -type d -exec chmod 755 \{\} \;;
find /certs -type f -exec chmod 755 \{\} \;;
# Convert p12 certificates to PEM
openssl pkcs12 -in /certs/elastic-stack-ca.p12 -out /certs/elastic-stack-ca.crt.pem -clcerts -nokeys -password pass:$ES_CERTIFICATE_PASSWORD
openssl pkcs12 -in /certs/elastic-stack-ca.p12 -out /certs/elastic-stack-ca.key.pem -nocerts -nodes -password pass:$ES_CERTIFICATE_PASSWORD
zip -ur /certs/es_native_certs_bundle_pem.zip /certs/elastic-stack-ca.crt.pem /certs/elastic-stack-ca.key.pem
cp -rf /certs/* /usr/share/elasticsearch/config/certificates/