@@ -4,6 +4,8 @@ test "${no_config:-0}" == 1
44CONFIG=$?
55test " ${no_config_secret:- 0} " == 1
66CONFIG_SECRET=$?
7+ ES_TRUSTED_CA_CERT_FILES=()
8+ IFS=' ,' read -r -a ES_TRUSTED_CA_CERT_FILES <<< " ${es_trusted_ca_cert_files:-$es_trusted_ca_cert_file}"
79test " ${no_config_es:- 0} " == 1
810CONFIG_ES=$?
911ES_URI=${es_uri:- }
@@ -28,6 +30,7 @@ function usage {
2830 --no-config-secret | do not add random secret to configuration
2931 --no-config-es | do not add elasticsearch hosts to configuration
3032 --es-uri <uri> | use this string to configure elasticsearch hosts (format: http(s)://host:port,host:port(/prefix)?querystring)
33+ --es-trust-ca-cert <file.pem>| trust a CA for outbound Elasticsearch TLS connections (can use multiple times)
3134 --es-hostname <host> | resolve this hostname to find elasticsearch instances
3235 --secret <secret> | secret to secure sessions
3336 --show-secret | show the generated secret
5154 " --es-hosts" ) echo " --es-hosts is deprecated, please use --es-uri"
5255 usage;;
5356 " --es-uri" ) shift ; ES_URI=$1 ;;
57+ " --es-trust-ca-cert" ) shift ; ES_TRUSTED_CA_CERT_FILES+=($1 );;
5458 " --es-hostname" ) shift ; ES_HOSTNAME=$1 ;;
5559 " --secret" ) shift ; SECRET=$1 ;;
5660 " --show-secret" ) SHOW_SECRET=1;;
@@ -108,6 +112,37 @@ then
108112 else
109113 echo elasticsearch host not configured
110114 fi
115+
116+ if test ${# ES_TRUSTED_CA_CERT_FILES} -gt 0
117+ then
118+ # elastic4play only lets us specify one truststore, so let's
119+ # make it a JKS with whatever is needed inside it
120+ echo " Creating trust store"
121+ ES_TRUST_STORE_PASSWORD=$( tr -dc ' a-zA-Z0-9' < /dev/urandom | fold -w 64 | head -n 1)
122+ ES_TRUST_STORE=$( mktemp --tmpdir cortex-XXXXXX.ts)
123+ # yes, removing this temp file could cause a race condition, but
124+ # keytool won't work if the file exists
125+ rm -f $ES_TRUST_STORE
126+ for cacert_pem_file in " ${ES_TRUSTED_CA_CERT_FILES[@]} "
127+ do
128+ keytool -importcert -keystore $ES_TRUST_STORE \
129+ -file $cacert_pem_file \
130+ -alias $( basename $cacert_pem_file ) \
131+ -storepass $ES_TRUST_STORE_PASSWORD -noprompt
132+ done
133+ # ssl context is only set up if keyStore given: see
134+ # sslContextMaybe,
135+ # .../app/org/elastic4play/database/DBConfiguration.scala. we
136+ # won't have any certs with private keys in this trust store,
137+ # but that's ok. change this if ES client cert support is added
138+ # to this script.
139+ echo " search.keyStore.path=\" $ES_TRUST_STORE \" " >> " $CONFIG_FILE "
140+ echo " search.keyStore.type=\" JKS\" " >> " $CONFIG_FILE "
141+ echo " search.keyStore.password=\" $ES_TRUST_STORE_PASSWORD \" " >> " $CONFIG_FILE "
142+ echo " search.trustStore.path=\" $ES_TRUST_STORE \" " >> " $CONFIG_FILE "
143+ echo " search.trustStore.type=\" JKS\" " >> " $CONFIG_FILE "
144+ echo " search.trustStore.password=\" $ES_TRUST_STORE_PASSWORD \" " >> " $CONFIG_FILE "
145+ fi
111146 fi
112147
113148 test -n " $JOB_DIRECTORY " && echo " job.directory=\" $JOB_DIRECTORY \" " >> " $CONFIG_FILE "
@@ -141,6 +176,7 @@ touch /var/log/cortex/application.log
141176chown -R " $DAEMON_USER " /var/log/cortex
142177chown -R " $DAEMON_USER " /etc/cortex
143178chown -R " $DAEMON_USER " " $CONFIG_FILE "
179+ test -n " $ES_TRUST_STORE " && chown " $DAEMON_USER " " $ES_TRUST_STORE "
144180test -e /var/run/docker.sock && chown " $DAEMON_USER " /var/run/docker.sock
145181if test -n " $JOB_DIRECTORY "
146182then
0 commit comments