Skip to content

Commit d631083

Browse files
author
Varun Rao Bhamidimarri
committed
Cleanup
1 parent 49603b7 commit d631083

File tree

1 file changed

+45
-41
lines changed

1 file changed

+45
-41
lines changed

aws_emr_blog_v3/scripts/create-tls-certs.sh

Lines changed: 45 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ else
5454
DEFAULT_EC2_REALM='compute.internal'
5555
echo "AWS region is NOT us-east-1, will use EC2 realm as compute.internal"
5656
fi
57-
ranger_agents_certs_path="./ranger-agents"
57+
ranger_plugin_certs_path="./ranger-agents"
5858
solr_certs_path="./solr-client"
5959
keystore_location="./ranger-plugin-keystore.jks"
6060
keystore_alias=rangerplugin
@@ -63,8 +63,17 @@ truststore_location="./ranger-plugin-truststore.jks"
6363
ranger_server_certs_path="./ranger-server"
6464
truststore_password="changeit"
6565
truststore_ranger_server_alias="rangeradmin"
66-
secret_mgr_ranger_private_key="emr/rangerGAagentkey"
67-
secret_mgr_ranger_admin_cert="emr/rangerGAservercert"
66+
secret_mgr_ranger_plugin_private_key="emr/rangerGAagentkey"
67+
secret_mgr_ranger_plugin_cert="emr/rangerPluginCert"
68+
secret_mgr_ranger_admin_private_key="emr/rangerServerPrivateKey"
69+
secret_mgr_ranger_admin_server_cert="emr/rangerGAservercert"
70+
ranger_admin_server_private_key_exists="false"
71+
ranger_admin_server_cert_exists="false"
72+
ranger_plugin_private_key_exists="false"
73+
ranger_plugin_cert_exists="false"
74+
ranger_solr_cert_exists="false"
75+
ranger_solr_key_exists="false"
76+
ranger_solr_trust_store_exists="false"
6877

6978
certs_subject="/C=US/ST=TX/L=Dallas/O=EMR/OU=EMR/CN=*.$DEFAULT_EC2_REALM"
7079

@@ -97,47 +106,42 @@ generate_certs emr-certs
97106

98107
# Generate KeyStore and TrustStore for the Ranger plugins
99108
# Keystore
100-
openssl pkcs12 -export -in ${ranger_agents_certs_path}/certificateChain.pem -inkey ${ranger_agents_certs_path}/privateKey.pem -chain -CAfile ${ranger_agents_certs_path}/trustedCertificates.pem -name ${keystore_alias} -out ${ranger_agents_certs_path}/keystore.p12 -password pass:${keystore_password}
101-
keytool -importkeystore -deststorepass ${keystore_password} -destkeystore ${keystore_location} -srckeystore ${ranger_agents_certs_path}/keystore.p12 -srcstoretype PKCS12 -srcstorepass ${keystore_password} -noprompt
109+
openssl pkcs12 -export -in ${ranger_plugin_certs_path}/certificateChain.pem -inkey ${ranger_plugin_certs_path}/privateKey.pem -chain -CAfile ${ranger_plugin_certs_path}/trustedCertificates.pem -name ${keystore_alias} -out ${ranger_plugin_certs_path}/keystore.p12 -password pass:${keystore_password}
110+
keytool -importkeystore -deststorepass ${keystore_password} -destkeystore ${keystore_location} -srckeystore ${ranger_plugin_certs_path}/keystore.p12 -srcstoretype PKCS12 -srcstorepass ${keystore_password} -noprompt
102111

103112
# Truststore
104113
rm -rf ${truststore_location}
105114
keytool -import -file ${ranger_server_certs_path}/certificateChain.pem -alias ${truststore_ranger_server_alias} -keystore ${truststore_location} -storepass ${truststore_password} -noprompt
106115

107-
ranger_private_key_exists="false"
108-
ranger_admin_cert_exists="false"
109-
ranger_plugin_cert_exists="false"
110-
ranger_solr_cert_exists="false"
111-
ranger_server_key_exists="false"
112-
ranger_solr_key_exists="false"
113-
ranger_solr_trust_store_exists="false"
114116

115117
# Delete existing secrets
116-
if (aws secretsmanager describe-secret --secret-id ${secret_mgr_ranger_private_key} --region $AWS_REGION > /dev/null 2>&1); then
117-
if [[ $(aws secretsmanager describe-secret --secret-id ${secret_mgr_ranger_private_key} --query "DeletedDate" --region $AWS_REGION) == "null" ]]; then
118-
echo "${secret_mgr_ranger_private_key} already exists. Will not delete and recreate"
119-
ranger_private_key_exists="true"
118+
if (aws secretsmanager describe-secret --secret-id ${secret_mgr_ranger_plugin_private_key} --region $AWS_REGION > /dev/null 2>&1); then
119+
if [[ $(aws secretsmanager describe-secret --secret-id ${secret_mgr_ranger_plugin_private_key} --query "DeletedDate" --region $AWS_REGION) == "null" ]]; then
120+
echo "${secret_mgr_ranger_plugin_private_key} already exists. Will not delete and recreate"
121+
ranger_plugin_private_key_exists="true"
120122
fi
121123
fi
122-
123-
if (aws secretsmanager describe-secret --secret-id ${secret_mgr_ranger_admin_cert} --region $AWS_REGION > /dev/null 2>&1); then
124-
if [[ $(aws secretsmanager describe-secret --secret-id ${secret_mgr_ranger_admin_cert} --query "DeletedDate" --region $AWS_REGION) == "null" ]]; then
125-
echo "${secret_mgr_ranger_admin_cert} already exists. Will not delete and recreate"
126-
ranger_admin_cert_exists="true"
124+
if (aws secretsmanager describe-secret --secret-id ${secret_mgr_ranger_plugin_cert} --region $AWS_REGION > /dev/null 2>&1); then
125+
if [[ $(aws secretsmanager describe-secret --secret-id ${secret_mgr_ranger_plugin_cert} --query "DeletedDate" --region $AWS_REGION) == "null" ]]; then
126+
echo "${secret_mgr_ranger_plugin_cert} already exists. Will not delete and recreate"
127+
ranger_plugin_cert_exists="true"
127128
fi
128129
fi
129-
if (aws secretsmanager describe-secret --secret-id emr/rangerServerPrivateKey --region $AWS_REGION > /dev/null 2>&1); then
130-
if [[ $(aws secretsmanager describe-secret --secret-id emr/rangerServerPrivateKey --query "DeletedDate" --region $AWS_REGION) == "null" ]]; then
131-
echo "emr/rangerServerPrivateKey already exists. Will not delete and recreate"
132-
ranger_server_key_exists="true"
130+
131+
if (aws secretsmanager describe-secret --secret-id ${secret_mgr_ranger_admin_private_key} --region $AWS_REGION > /dev/null 2>&1); then
132+
if [[ $(aws secretsmanager describe-secret --secret-id ${secret_mgr_ranger_admin_private_key} --query "DeletedDate" --region $AWS_REGION) == "null" ]]; then
133+
echo "${secret_mgr_ranger_admin_private_key} already exists. Will not delete and recreate"
134+
ranger_admin_server_private_key_exists="true"
133135
fi
134136
fi
135-
if (aws secretsmanager describe-secret --secret-id emr/rangerPluginCert --region $AWS_REGION > /dev/null 2>&1); then
136-
if [[ $(aws secretsmanager describe-secret --secret-id emr/rangerPluginCert --query "DeletedDate" --region $AWS_REGION) == "null" ]]; then
137-
echo "emr/rangerPluginCert already exists. Will not delete and recreate"
138-
ranger_plugin_cert_exists="true"
137+
138+
if (aws secretsmanager describe-secret --secret-id ${secret_mgr_ranger_admin_server_cert} --region $AWS_REGION > /dev/null 2>&1); then
139+
if [[ $(aws secretsmanager describe-secret --secret-id ${secret_mgr_ranger_admin_server_cert} --query "DeletedDate" --region $AWS_REGION) == "null" ]]; then
140+
echo "${secret_mgr_ranger_admin_server_cert} already exists. Will not delete and recreate"
141+
ranger_admin_server_cert_exists="true"
139142
fi
140143
fi
144+
141145
if (aws secretsmanager describe-secret --secret-id emr/rangerSolrCert --region $AWS_REGION > /dev/null 2>&1); then
142146
if [[ $(aws secretsmanager describe-secret --secret-id emr/rangerSolrCert --query "DeletedDate" --region $AWS_REGION) == "null" ]]; then
143147
echo "emr/rangerSolrCert already exists. Will not delete and recreate"
@@ -157,18 +161,16 @@ if (aws secretsmanager describe-secret --secret-id emr/rangerSolrTrustedCert --r
157161
fi
158162
fi
159163

160-
if [ $ranger_private_key_exists == "false" ] && [ $ranger_admin_cert_exists == "false" ]; then
161-
aws secretsmanager delete-secret --secret-id ${secret_mgr_ranger_private_key} --force-delete-without-recovery --region $AWS_REGION --cli-read-timeout 10 --cli-connect-timeout 10
162-
aws secretsmanager delete-secret --secret-id ${secret_mgr_ranger_admin_cert} --force-delete-without-recovery --region $AWS_REGION --cli-read-timeout 10 --cli-connect-timeout 10
164+
if [ $ranger_admin_server_private_key_exists == "false" ] && [ $ranger_admin_server_cert_exists == "false" ]; then
165+
aws secretsmanager delete-secret --secret-id ${secret_mgr_ranger_admin_private_key} --force-delete-without-recovery --region $AWS_REGION --cli-read-timeout 10 --cli-connect-timeout 10
166+
aws secretsmanager delete-secret --secret-id ${secret_mgr_ranger_admin_server_cert} --force-delete-without-recovery --region $AWS_REGION --cli-read-timeout 10 --cli-connect-timeout 10
163167

164168
## Basic wait for delete to be complete
165169
sleep 60
166170

167-
cat ${ranger_agents_certs_path}/privateKey.pem ${ranger_agents_certs_path}/certificateChain.pem > ${ranger_agents_certs_path}/rangerGAagentKeyChain.pem
168171

169-
aws secretsmanager create-secret --name ${secret_mgr_ranger_private_key} \
170-
--description "X509 Ranger Agent Private Key to be used by EMR Security Config" --secret-string file://${ranger_agents_certs_path}/rangerGAagentKeyChain.pem --region $AWS_REGION
171-
aws secretsmanager create-secret --name ${secret_mgr_ranger_admin_cert} \
172+
aws secretsmanager create-secret --name ${secret_mgr_ranger_admin_private_key} --description "Ranger Server Private Key" --secret-string file://${ranger_server_certs_path}/privateKey.pem --region $AWS_REGION
173+
aws secretsmanager create-secret --name ${secret_mgr_ranger_admin_server_cert} \
172174
--description "Ranger Server Cert" --secret-string file://${ranger_server_certs_path}/certificateChain.pem --region $AWS_REGION
173175

174176
if [[ $COPY_CERT_TO_LOCAL_S3_BUCKET == "true" ]]; then
@@ -179,13 +181,15 @@ fi
179181

180182
## Others that will be used by the Ranger Admin Server
181183

182-
if [ $ranger_server_key_exists == "false" ] && [ $ranger_plugin_cert_exists == "false" ]; then
183-
aws secretsmanager delete-secret --secret-id emr/rangerServerPrivateKey --force-delete-without-recovery --region $AWS_REGION --cli-read-timeout 10 --cli-connect-timeout 10
184-
aws secretsmanager delete-secret --secret-id emr/rangerPluginCert --force-delete-without-recovery --region $AWS_REGION --cli-read-timeout 10 --cli-connect-timeout 10
184+
if [ $ranger_plugin_private_key_exists == "false" ] && [ $ranger_plugin_cert_exists == "false" ]; then
185+
aws secretsmanager delete-secret --secret-id ${secret_mgr_ranger_plugin_private_key} --force-delete-without-recovery --region $AWS_REGION --cli-read-timeout 10 --cli-connect-timeout 10
186+
aws secretsmanager delete-secret --secret-id ${secret_mgr_ranger_plugin_cert} --force-delete-without-recovery --region $AWS_REGION --cli-read-timeout 10 --cli-connect-timeout 10
185187

186188
sleep 60
187-
aws secretsmanager create-secret --name emr/rangerServerPrivateKey --description "Ranger Server Private Key" --secret-string file://${ranger_server_certs_path}/privateKey.pem --region $AWS_REGION
188-
aws secretsmanager create-secret --name emr/rangerPluginCert --description "Ranger Plugin Cert" --secret-string file://${ranger_agents_certs_path}/certificateChain.pem --region $AWS_REGION
189+
cat ${ranger_plugin_certs_path}/privateKey.pem ${ranger_plugin_certs_path}/certificateChain.pem > ${ranger_plugin_certs_path}/rangerGAagentKeyChain.pem
190+
aws secretsmanager create-secret --name ${secret_mgr_ranger_plugin_private_key} \
191+
--description "X509 Ranger Agent Private Key to be used by EMR Security Config" --secret-string file://${ranger_plugin_certs_path}/rangerGAagentKeyChain.pem --region $AWS_REGION
192+
aws secretsmanager create-secret --name ${secret_mgr_ranger_plugin_cert} --description "Ranger Plugin Cert" --secret-string file://${ranger_plugin_certs_path}/certificateChain.pem --region $AWS_REGION
189193

190194
fi
191195

0 commit comments

Comments
 (0)