-
Notifications
You must be signed in to change notification settings - Fork 1
/
generate-certs-compose.yml
40 lines (36 loc) · 2.11 KB
/
generate-certs-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
services:
setup:
image: ${IMAGE_REGISTRY_PREFIX}docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
volumes:
- ./elasticsearch/certs:/usr/share/elasticsearch/config/certs
- ./elasticsearch/instances.yml.tmpl:/usr/share/elasticsearch/config/instances.yml.tmpl:ro
user: "0"
environment:
KIBANA_HOSTS_IP: ${KIBANA_HOSTS_IP}
KIBANA_HOSTNAMES: ${KIBANA_HOSTNAMES}
command: >
bash -c
"
if [ ! -f config/certs/ca.zip ]; then
echo \"Creating CA\";
bin/elasticsearch-certutil ca --days 3650 --silent --pem -out config/certs/ca.zip;
unzip -n config/certs/ca.zip -d config/certs;
fi;
if [ ! -f config/certs/certs.zip ]; then
echo \"Creating certs\";
cp config/instances.yml.tmpl config/instances.yml && sed -i -e \"s/__KIBANA_HOSTS_IP__/$${KIBANA_HOSTS_IP}/\" -e \"s/__KIBANA_HOSTNAMES__/$${KIBANA_HOSTNAMES}/\" config/instances.yml;
bin/elasticsearch-certutil cert --days 3650 --silent --pem --out config/certs/certs.zip --in config/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;
unzip -n config/certs/certs.zip -d config/certs;
echo \"Elasticsearch certificates generated!\";
fi;
echo \"Setting file permissions\";
chown -R root:root config/certs;
find . -type d | xargs chmod 750;
find . -type f | xargs chmod 640;
if [ ! -f config/certs/ca/ca.p12 ]; then
export CERTIFICATE_PASSWORD=$$(openssl rand -hex 7)
openssl pkcs12 -export -in config/certs/ca/ca.crt -inkey config/certs/ca/ca.key -out config/certs/ca/ca.12 -password pass:$${CERTIFICATE_PASSWORD}
echo \"Exported CA x509 certificate to PKCS12 Certificate. Stored in certs/ca/ca.p12. Use the below command to convert it to JKS\"
echo \"keytool -importkeystore -srckeystore elasticsearch/certs/ca/ca.p12 -srcstoretype PKCS12 -srcstorepass $${CERTIFICATE_PASSWORD} -deststorepass $${CERTIFICATE_PASSWORD} -destkeypass $${CERTIFICATE_PASSWORD} -destkeystore elasticsearch/certs/ca/ca.jks\";
fi
"