Skip to content

Commit d8ecae8

Browse files
committed
add to entrypoint support for trusting a CA cert for Elasticsearch
1 parent 330bc25 commit d8ecae8

1 file changed

Lines changed: 36 additions & 0 deletions

File tree

package/docker/entrypoint

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@ test "${no_config:-0}" == 1
44
CONFIG=$?
55
test "${no_config_secret:-0}" == 1
66
CONFIG_SECRET=$?
7+
ES_TRUSTED_CA_CERT_FILES=()
8+
IFS=',' read -r -a ES_TRUSTED_CA_CERT_FILES <<< "${es_trusted_ca_cert_files:-$es_trusted_ca_cert_file}"
79
test "${no_config_es:-0}" == 1
810
CONFIG_ES=$?
911
ES_URI=${es_uri:-}
@@ -28,6 +30,7 @@ function usage {
2830
--no-config-secret | do not add random secret to configuration
2931
--no-config-es | do not add elasticsearch hosts to configuration
3032
--es-uri <uri> | use this string to configure elasticsearch hosts (format: http(s)://host:port,host:port(/prefix)?querystring)
33+
--es-trust-ca-cert <file.pem>| trust a CA for outbound Elasticsearch TLS connections (can use multiple times)
3134
--es-hostname <host> | resolve this hostname to find elasticsearch instances
3235
--secret <secret> | secret to secure sessions
3336
--show-secret | show the generated secret
@@ -51,6 +54,7 @@ do
5154
"--es-hosts") echo "--es-hosts is deprecated, please use --es-uri"
5255
usage;;
5356
"--es-uri") shift; ES_URI=$1;;
57+
"--es-trust-ca-cert") shift; ES_TRUSTED_CA_CERT_FILES+=($1);;
5458
"--es-hostname") shift; ES_HOSTNAME=$1;;
5559
"--secret") shift; SECRET=$1;;
5660
"--show-secret") SHOW_SECRET=1;;
@@ -108,6 +112,37 @@ then
108112
else
109113
echo elasticsearch host not configured
110114
fi
115+
116+
if test ${#ES_TRUSTED_CA_CERT_FILES} -gt 0
117+
then
118+
# elastic4play only lets us specify one truststore, so let's
119+
# make it a JKS with whatever is needed inside it
120+
echo "Creating trust store"
121+
ES_TRUST_STORE_PASSWORD=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 64 | head -n 1)
122+
ES_TRUST_STORE=$(mktemp --tmpdir cortex-XXXXXX.ts)
123+
# yes, removing this temp file could cause a race condition, but
124+
# keytool won't work if the file exists
125+
rm -f $ES_TRUST_STORE
126+
for cacert_pem_file in "${ES_TRUSTED_CA_CERT_FILES[@]}"
127+
do
128+
keytool -importcert -keystore $ES_TRUST_STORE \
129+
-file $cacert_pem_file \
130+
-alias $(basename $cacert_pem_file) \
131+
-storepass $ES_TRUST_STORE_PASSWORD -noprompt
132+
done
133+
# ssl context is only set up if keyStore given: see
134+
# sslContextMaybe,
135+
# .../app/org/elastic4play/database/DBConfiguration.scala. we
136+
# won't have any certs with private keys in this trust store,
137+
# but that's ok. change this if ES client cert support is added
138+
# to this script.
139+
echo "search.keyStore.path=\"$ES_TRUST_STORE\"" >> "$CONFIG_FILE"
140+
echo "search.keyStore.type=\"JKS\"" >> "$CONFIG_FILE"
141+
echo "search.keyStore.password=\"$ES_TRUST_STORE_PASSWORD\"" >> "$CONFIG_FILE"
142+
echo "search.trustStore.path=\"$ES_TRUST_STORE\"" >> "$CONFIG_FILE"
143+
echo "search.trustStore.type=\"JKS\"" >> "$CONFIG_FILE"
144+
echo "search.trustStore.password=\"$ES_TRUST_STORE_PASSWORD\"" >> "$CONFIG_FILE"
145+
fi
111146
fi
112147

113148
test -n "$JOB_DIRECTORY" && echo "job.directory=\"$JOB_DIRECTORY\"" >> "$CONFIG_FILE"
@@ -141,6 +176,7 @@ touch /var/log/cortex/application.log
141176
chown -R "$DAEMON_USER" /var/log/cortex
142177
chown -R "$DAEMON_USER" /etc/cortex
143178
chown -R "$DAEMON_USER" "$CONFIG_FILE"
179+
test -n "$ES_TRUST_STORE" && chown "$DAEMON_USER" "$ES_TRUST_STORE"
144180
test -e /var/run/docker.sock && chown "$DAEMON_USER" /var/run/docker.sock
145181
if test -n "$JOB_DIRECTORY"
146182
then

0 commit comments

Comments
 (0)