Commit 6e9274aa authored by Pedro Eduardo Trujillo's avatar Pedro Eduardo Trujillo
Browse files

Usa filenames diferentes para certs de cada nodo 

No es posible generar directamente la salida de certificados en
directorios con nombre diferente pero mismo nombre de fichero, por lo
que se utiliza la construcción de ruta variable incluyendo también el
nombre variable de los ficheros key y crt.
parent 9c1c5b58

deploy/.env

+1 −6
Original line number Diff line number Diff line
@@ -8,6 +8,7 @@ ELASTIC_PASSWORD=changeme 
ES_PATH_DATA=/usr/share/elasticsearch/data

ES_CONFIG_PATH=/usr/share/elasticsearch/config

ES_CERT_PATH=/usr/share/elasticsearch/cert

SSL_CA_CERT_FILEPATH=ca/ca.crt



# clustering

ES_CLUSTER_INITIAL_MASTER_NODES=es-node1,es-node2,es-node3
@@ -26,12 +27,6 @@ ES_XPACK_SECURITY_TRANSPORT_SSL_VERIFICATION_MODE=full 
# machine-learning

ES_XPACK_ML_USE_AUTO_MACHINE_MEMORY_PERCENT=true



# certs

SSL_KEY_FILENAME=node.key

SSL_CERT_FILENAME=node.crt

SSL_CA_KEY_FILEPATH=ca/ca.key

SSL_CA_CERT_FILEPATH=ca/ca.crt



# volumes

DATA_VOL_NAME=elasticsearch-data-vol

CONF_VOL_NAME=elasticsearch-conf-vol

deploy/compose.tmpl.yaml

+5 −6
Original line number Diff line number Diff line
@@ -13,14 +13,14 @@ services: 
      xpack.security.http.ssl.enabled: ${ES_XPACK_SECURITY_HTTP_SSL_ENABLED}

      xpack.security.http.ssl.client_authentication: ${ES_XPACK_SECURITY_HTTP_SSL_CLIENT_AUTHENTICATION}

      xpack.security.http.ssl.verification_mode: ${ES_XPACK_SECURITY_HTTP_SSL_VERIFICATION_MODE}

      xpack.security.http.ssl.key: ${ES_CERT_PATH}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}/${SSL_KEY_FILENAME}

      xpack.security.http.ssl.certificate: ${ES_CERT_PATH}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}/${SSL_CERT_FILENAME}

      xpack.security.http.ssl.key: ${ES_CERT_PATH}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}.key

      xpack.security.http.ssl.certificate: ${ES_CERT_PATH}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}.crt

      xpack.security.http.ssl.certificate_authorities: ${ES_CERT_PATH}/${SSL_CA_CERT_FILEPATH}

      xpack.security.transport.ssl.enabled: ${ES_XPACK_SECURITY_TRANSPORT_SSL_ENABLED}

      xpack.security.transport.ssl.client_authentication: ${ES_XPACK_SECURITY_TRANSPORT_SSL_CLIENT_AUTHENTICATION}

      xpack.security.transport.ssl.verification_mode: ${ES_XPACK_SECURITY_TRANSPORT_SSL_VERIFICATION_MODE}

      xpack.security.transport.ssl.key: ${ES_CERT_PATH}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}/${SSL_KEY_FILENAME}

      xpack.security.transport.ssl.certificate: ${ES_CERT_PATH}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}/${SSL_CERT_FILENAME}

      xpack.security.transport.ssl.key: ${ES_CERT_PATH}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}.key

      xpack.security.transport.ssl.certificate: ${ES_CERT_PATH}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}/${HOSTNAME_PREFIX}-{{.Node.Hostname}}.crt

      xpack.security.transport.ssl.certificate_authorities: ${ES_CERT_PATH}/${SSL_CA_CERT_FILEPATH}

      xpack.ml.use_auto_machine_memory_percent: ${ES_XPACK_ML_USE_AUTO_MACHINE_MEMORY_PERCENT}

      S3_ACCESS_KEY:
@@ -81,7 +81,6 @@ services: 
            echo "  $${nodeName}";

            echo -ne \

            "  - name: $${nodeName}\n"\

            "   filename: $${nodeName}/node\n"\

            "   dns:\n"\

            "    - $${nodeName}\n"\

            "    - localhost\n"\
@@ -91,7 +90,7 @@ services: 
          done;

          bin/elasticsearch-certutil cert --silent --pem \

            --out ${ES_CERT_PATH}/certs.zip --in ${ES_CERT_PATH}/instances.yml \

            --ca-cert ${ES_CERT_PATH}/${SSL_CA_CERT_FILEPATH} --ca-key ${ES_CERT_PATH}/${SSL_CA_KEY_FILEPATH};

            --ca-cert ${ES_CERT_PATH}/${SSL_CA_CERT_FILEPATH} --ca-key ${ES_CERT_PATH}/ca/ca.key;

          if [ ! -f ${ES_CERT_PATH}/certs.zip ]

          then

            echo "Certs creation failed";