harbor/tools/ova/script/config.sh

184 lines
4.4 KiB
Bash
Raw Normal View History

2016-10-25 12:09:54 +02:00
#!/bin/bash
set -e
attrs=(
ldap_url
ldap_searchdn
ldap_search_pwd
ldap_basedn
ldap_uid
email_server
email_server_port
email_username
email_password
email_from
email_ssl
verify_remote_cert
self_registration
2016-10-25 12:09:54 +02:00
)
2016-11-16 11:49:09 +01:00
cert_dir=/data/cert
mkdir -p $cert_dir
cert=$cert_dir/server.crt
key=$cert_dir/server.key
csr=$cert_dir/server.csr
ca_cert=$cert_dir/ca.crt
ca_key=$cert_dir/ca.key
ext=$cert_dir/extfile.cnf
ca_download_dir=/data/ca_download
mkdir -p $ca_download_dir
rm -rf $ca_download_dir/*
2016-11-16 11:49:09 +01:00
hostname=""
ip_addr=""
2016-10-25 12:09:54 +02:00
base_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../" && pwd )"
source $base_dir/script/common.sh
2016-10-25 12:09:54 +02:00
2016-11-16 11:49:09 +01:00
flag=$base_dir/cert_gen_type
2016-10-25 12:09:54 +02:00
#The location of harbor.cfg
cfg=$base_dir/harbor/harbor.cfg
#Format cert and key files
function format {
file=$1
head=$(sed -rn 's/(-+[A-Za-z ]*-+)([^-]*)(-+[A-Za-z ]*-+)/\1/p' $file)
body=$(sed -rn 's/(-+[A-Za-z ]*-+)([^-]*)(-+[A-Za-z ]*-+)/\2/p' $file)
tail=$(sed -rn 's/(-+[A-Za-z ]*-+)([^-]*)(-+[A-Za-z ]*-+)/\3/p' $file)
echo $head > $file
echo $body | sed 's/\s\+/\n/g' >> $file
echo $tail >> $file
}
2016-11-16 11:49:09 +01:00
function genCert {
if [ ! -e $ca_cert ] || [ ! -e $ca_key ]
then
openssl req -newkey rsa:4096 -nodes -sha256 -keyout $ca_key \
-x509 -days 365 -out $ca_cert -subj \
2016-11-17 11:39:17 +01:00
"/C=US/ST=California/L=Palo Alto/O=VMware, Inc./OU=Harbor/CN=Self-signed by VMware, Inc."
2016-11-16 11:49:09 +01:00
fi
openssl req -newkey rsa:4096 -nodes -sha256 -keyout $key \
-out $csr -subj \
"/C=US/ST=California/L=Palo Alto/O=VMware/OU=Harbor/CN=$hostname"
echo "Add subjectAltName = IP: $ip_addr to certificate"
echo subjectAltName = IP:$ip_addr > $ext
openssl x509 -req -days 365 -in $csr -CA $ca_cert -CAkey $ca_key -CAcreateserial -extfile $ext -out $cert
2016-11-16 11:49:09 +01:00
echo "self-signed" > $flag
echo "Copy CA certificate to $ca_download_dir"
cp $ca_cert $ca_download_dir/
2016-11-16 11:49:09 +01:00
}
function secure {
echo "Read attribute using ovfenv: [ ssl_cert ]"
ssl_cert=$(ovfenv -k ssl_cert)
echo "Read attribute using ovfenv: [ ssl_cert_key ]"
ssl_cert_key=$(ovfenv -k ssl_cert_key)
if [ -n "$ssl_cert" ] && [ -n "$ssl_cert_key" ]
then
echo "ssl_cert and ssl_cert_key are both set, using customized certificate"
echo $ssl_cert > $cert
format $cert
echo $ssl_cert_key > $key
format $key
echo "customized" > $flag
return
fi
if [ ! -e $ca_cert ] || [ ! -e $cert ] || [ ! -e $key ]
2016-11-16 11:49:09 +01:00
then
echo "CA, Certificate or key file does not exist, will generate a self-signed certificate"
2016-11-16 11:49:09 +01:00
genCert
return
fi
if [ ! -e $flag ]
then
echo "The file which records the way generating certificate does not exist, will generate a new self-signed certificate"
genCert
return
fi
if [ ! $(cat $flag) = "self-signed" ]
then
echo "The way generating certificate changed, will generate a new self-signed certificate"
genCert
return
fi
cn=$(openssl x509 -noout -subject -in $cert | sed -n '/^subject/s/^.*CN=//p') || true
if [ "$hostname" != "$cn" ]
then
echo "Common name changed: $cn -> $hostname , will generate a new self-signed certificate"
genCert
return
fi
ip_in_cert=$(openssl x509 -noout -text -in $cert | sed -n '/IP Address:/s/.*IP Address://p') || true
if [ "$ip_addr" != "$ip_in_cert" ]
then
echo "IP changed: $ip_in_cert -> $ip_addr , will generate a new self-signed certificate"
genCert
return
fi
echo "Use the existing CA, certificate and key file"
echo "Copy CA certificate to $ca_download_dir"
cp $ca_cert $ca_download_dir/
2016-11-16 11:49:09 +01:00
}
2016-10-25 12:09:54 +02:00
#Modify hostname
2016-11-10 09:18:13 +01:00
hostname=$(hostname --fqdn) || true
ip_addr=$(ip addr show eth0|grep "inet "|tr -s ' '|cut -d ' ' -f 3|cut -d '/' -f 1)
2016-11-10 09:18:13 +01:00
if [ -z "$hostname" ]
2016-10-25 12:09:54 +02:00
then
hostname=$ip_addr
2016-11-10 09:18:13 +01:00
fi
if [ -n "$hostname" ]
then
echo "Read hostname/IP: [ hostname/IP - $hostname ]"
configureHarborCfg hostname $hostname
2016-10-25 12:09:54 +02:00
else
2016-11-10 09:18:13 +01:00
echo "Failed to get the hostname/IP"
2016-10-25 12:09:54 +02:00
exit 1
fi
#Handle http/https
2016-11-16 11:49:09 +01:00
echo "Read attribute using ovfenv: [ protocol ]"
protocol=$(ovfenv -k protocol)
if [ -z $protocol ]
2016-10-25 12:09:54 +02:00
then
2016-11-09 07:56:32 +01:00
protocol=https
2016-11-16 11:49:09 +01:00
fi
echo "Protocol: $protocol"
configureHarborCfg ui_url_protocol $protocol
2016-11-16 11:49:09 +01:00
if [ $protocol = "https" ]
then
secure
2016-10-25 12:09:54 +02:00
fi
for attr in "${attrs[@]}"
do
echo "Read attribute using ovfenv: [ $attr ]"
value=$(ovfenv -k $attr)
#ldap search password and email password can be null
if [ -n "$value" ] || [ "$attr" = "ldap_search_pwd" ] \
|| [ "$attr" = "email_password" ]
then
#if [ "$attr" = ldap_search_pwd ] \
# || [ "$attr" = email_password ]
#then
# bs=$(echo $value | base64)
# value={base64}$bs
#fi
configureHarborCfg $attr $value
2016-10-25 12:09:54 +02:00
fi
done