harbor/tools/ova/script/config.sh

#!/bin/bash
set -e

attrs=( 
	ldap_url 
	ldap_searchdn 
	ldap_search_pwd 
	ldap_basedn 
	ldap_uid 
	email_server 
	email_server_port 
	email_username 
	email_password 
	email_from 
	email_ssl 
	verify_remote_cert
	self_registration
	)
	
cert_dir=/data/cert
mkdir -p $cert_dir

cert=$cert_dir/server.crt
key=$cert_dir/server.key
csr=$cert_dir/server.csr
ca_cert=$cert_dir/ca.crt
ca_key=$cert_dir/ca.key
ext=$cert_dir/extfile.cnf

ca_download_dir=/data/ca_download
mkdir -p $ca_download_dir
rm -rf $ca_download_dir/*

hostname=""
ip_addr=""

base_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../" && pwd )"
source $base_dir/script/common.sh

flag=$base_dir/cert_gen_type

#The location of harbor.cfg
cfg=$base_dir/harbor/harbor.cfg

#Format cert and key files
function format {
	file=$1
	head=$(sed -rn 's/(-+[A-Za-z ]*-+)([^-]*)(-+[A-Za-z ]*-+)/\1/p' $file)
	body=$(sed -rn 's/(-+[A-Za-z ]*-+)([^-]*)(-+[A-Za-z ]*-+)/\2/p' $file)
	tail=$(sed -rn 's/(-+[A-Za-z ]*-+)([^-]*)(-+[A-Za-z ]*-+)/\3/p' $file)
	echo $head > $file
	echo $body | sed  's/\s\+/\n/g' >> $file
	echo $tail >> $file
}

function genCert {
	if [ ! -e $ca_cert ] || [ ! -e $ca_key ]
	then
		openssl req -newkey rsa:4096 -nodes -sha256 -keyout $ca_key \
			-x509 -days 365 -out $ca_cert -subj \
			"/C=US/ST=California/L=Palo Alto/O=VMware, Inc./OU=Harbor/CN=Self-signed by VMware, Inc."
	fi
	openssl req -newkey rsa:4096 -nodes -sha256 -keyout $key \
		-out $csr -subj \
		"/C=US/ST=California/L=Palo Alto/O=VMware/OU=Harbor/CN=$hostname"
	
	echo "Add subjectAltName = IP: $ip_addr to certificate"
	echo subjectAltName = IP:$ip_addr > $ext
	openssl x509 -req -days 365 -in $csr -CA $ca_cert -CAkey $ca_key -CAcreateserial -extfile $ext -out $cert
	
	echo "self-signed" > $flag
	echo "Copy CA certificate to $ca_download_dir"
	cp $ca_cert $ca_download_dir/
}

function secure {
	echo "Read attribute using ovfenv: [ ssl_cert ]"
	ssl_cert=$(ovfenv -k ssl_cert)
	echo "Read attribute using ovfenv: [ ssl_cert_key ]"
	ssl_cert_key=$(ovfenv -k ssl_cert_key)
	if [ -n "$ssl_cert" ] && [ -n "$ssl_cert_key" ]
	then
		echo "ssl_cert and ssl_cert_key are both set, using customized certificate"
		echo $ssl_cert > $cert
		format $cert
		echo $ssl_cert_key > $key
		format $key
		echo "customized" > $flag
		return
	fi
	
	if [ ! -e $ca_cert ] || [ ! -e $cert ] || [ ! -e $key ]
	then
		echo "CA, Certificate or key file does not exist, will generate a self-signed certificate"
		genCert
		return
	fi
	
	if [ ! -e $flag ] 
	then
		echo "The file which records the way generating certificate does not exist, will generate a new self-signed certificate"
		genCert
		return
	fi
	
	if [ ! $(cat $flag) = "self-signed" ]
	then
		echo "The way generating certificate changed, will generate a new self-signed certificate"
		genCert
		return
	fi
	
	cn=$(openssl x509 -noout -subject -in $cert | sed -n '/^subject/s/^.*CN=//p') || true
	if [ "$hostname" !=  "$cn" ]
	then
		echo "Common name changed: $cn -> $hostname , will generate a new self-signed certificate"
		genCert
		return
	fi
	
	ip_in_cert=$(openssl x509 -noout -text -in $cert | sed -n '/IP Address:/s/.*IP Address://p') || true
	if [ "$ip_addr" !=  "$ip_in_cert" ]
	then
		echo "IP changed: $ip_in_cert -> $ip_addr , will generate a new self-signed certificate"
		genCert
		return
	fi
	
	echo "Use the existing CA, certificate and key file"
	echo "Copy CA certificate to $ca_download_dir"
	cp $ca_cert $ca_download_dir/
}

#Modify hostname
hostname=$(hostname --fqdn) || true
ip_addr=$(ip addr show eth0|grep "inet "|tr -s ' '|cut -d ' ' -f 3|cut -d '/' -f 1)
if [ -z "$hostname" ]
then
	hostname=$ip_addr
fi

if [ -n "$hostname" ]
then
	echo "Read hostname/IP: [ hostname/IP - $hostname ]"
	configureHarborCfg hostname $hostname
else
	echo "Failed to get the hostname/IP"
	exit 1
fi

#Handle http/https
echo "Read attribute using ovfenv: [ protocol ]"
protocol=$(ovfenv -k protocol)
if [ -z $protocol ]
then
	protocol=https
fi

echo "Protocol: $protocol"
configureHarborCfg ui_url_protocol $protocol

if [ $protocol = "https" ]
then
	secure
fi

for attr in "${attrs[@]}"
do
	echo "Read attribute using ovfenv: [ $attr ]"
	value=$(ovfenv -k $attr)
	
	#ldap search password and email password can be null
	if [ -n "$value" ] || [ "$attr" = "ldap_search_pwd" ] \
		|| [ "$attr" = "email_password" ]
	then
		#if [ "$attr" = ldap_search_pwd ] \
		#	|| [ "$attr" = email_password ]
		#then
		#	bs=$(echo $value | base64)
		#	value={base64}$bs
		#fi
		configureHarborCfg $attr $value
	fi
done
ova installation scripts 2016-10-25 12:09:54 +02:00			`#!/bin/bash`
			`set -e`

			`attrs=(`
			`ldap_url`
			`ldap_searchdn`
			`ldap_search_pwd`
			`ldap_basedn`
			`ldap_uid`
			`email_server`
			`email_server_port`
			`email_username`
			`email_password`
			`email_from`
			`email_ssl`
			`verify_remote_cert`
1.add self_registration attr 2.update docs 2016-10-31 06:31:11 +01:00			`self_registration`
ova installation scripts 2016-10-25 12:09:54 +02:00			`)`
generate self-signed certificate 2016-11-16 11:49:09 +01:00
1. copy ca to download directory if nedded 2.add IP to san 3.ignore harbor admin password and database password in subsequent boot 2016-11-17 11:49:15 +01:00			`cert_dir=/data/cert`
			`mkdir -p $cert_dir`

			`cert=$cert_dir/server.crt`
			`key=$cert_dir/server.key`
			`csr=$cert_dir/server.csr`
			`ca_cert=$cert_dir/ca.crt`
			`ca_key=$cert_dir/ca.key`
			`ext=$cert_dir/extfile.cnf`

			`ca_download_dir=/data/ca_download`
			`mkdir -p $ca_download_dir`
			`rm -rf $ca_download_dir/*`
generate self-signed certificate 2016-11-16 11:49:09 +01:00
			`hostname=""`
1. copy ca to download directory if nedded 2.add IP to san 3.ignore harbor admin password and database password in subsequent boot 2016-11-17 11:49:15 +01:00			`ip_addr=""`
ova installation scripts 2016-10-25 12:09:54 +02:00
			`base_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../" && pwd )"`
1. copy ca to download directory if nedded 2.add IP to san 3.ignore harbor admin password and database password in subsequent boot 2016-11-17 11:49:15 +01:00			`source $base_dir/script/common.sh`
ova installation scripts 2016-10-25 12:09:54 +02:00
generate self-signed certificate 2016-11-16 11:49:09 +01:00			`flag=$base_dir/cert_gen_type`

ova installation scripts 2016-10-25 12:09:54 +02:00			`#The location of harbor.cfg`
			`cfg=$base_dir/harbor/harbor.cfg`

			`#Format cert and key files`
			`function format {`
			`file=$1`
			`head=$(sed -rn 's/(-+[A-Za-z ]-+)([^-])(-+[A-Za-z ]*-+)/\1/p' $file)`
			`body=$(sed -rn 's/(-+[A-Za-z ]-+)([^-])(-+[A-Za-z ]*-+)/\2/p' $file)`
			`tail=$(sed -rn 's/(-+[A-Za-z ]-+)([^-])(-+[A-Za-z ]*-+)/\3/p' $file)`
			`echo $head > $file`
			`echo $body \| sed 's/\s\+/\n/g' >> $file`
			`echo $tail >> $file`
			`}`

generate self-signed certificate 2016-11-16 11:49:09 +01:00			`function genCert {`
			`if [ ! -e $ca_cert ] \|\| [ ! -e $ca_key ]`
			`then`
			`openssl req -newkey rsa:4096 -nodes -sha256 -keyout $ca_key \`
			`-x509 -days 365 -out $ca_cert -subj \`
modify msg of certificate 2016-11-17 11:39:17 +01:00			`"/C=US/ST=California/L=Palo Alto/O=VMware, Inc./OU=Harbor/CN=Self-signed by VMware, Inc."`
generate self-signed certificate 2016-11-16 11:49:09 +01:00			`fi`
			`openssl req -newkey rsa:4096 -nodes -sha256 -keyout $key \`
			`-out $csr -subj \`
1. copy ca to download directory if nedded 2.add IP to san 3.ignore harbor admin password and database password in subsequent boot 2016-11-17 11:49:15 +01:00			`"/C=US/ST=California/L=Palo Alto/O=VMware/OU=Harbor/CN=$hostname"`

			`echo "Add subjectAltName = IP: $ip_addr to certificate"`
			`echo subjectAltName = IP:$ip_addr > $ext`
			`openssl x509 -req -days 365 -in $csr -CA $ca_cert -CAkey $ca_key -CAcreateserial -extfile $ext -out $cert`

generate self-signed certificate 2016-11-16 11:49:09 +01:00			`echo "self-signed" > $flag`
1. copy ca to download directory if nedded 2.add IP to san 3.ignore harbor admin password and database password in subsequent boot 2016-11-17 11:49:15 +01:00			`echo "Copy CA certificate to $ca_download_dir"`
			`cp $ca_cert $ca_download_dir/`
generate self-signed certificate 2016-11-16 11:49:09 +01:00			`}`

			`function secure {`
			`echo "Read attribute using ovfenv: [ ssl_cert ]"`
			`ssl_cert=$(ovfenv -k ssl_cert)`
			`echo "Read attribute using ovfenv: [ ssl_cert_key ]"`
			`ssl_cert_key=$(ovfenv -k ssl_cert_key)`
			`if [ -n "$ssl_cert" ] && [ -n "$ssl_cert_key" ]`
			`then`
			`echo "ssl_cert and ssl_cert_key are both set, using customized certificate"`
			`echo $ssl_cert > $cert`
			`format $cert`
			`echo $ssl_cert_key > $key`
			`format $key`
			`echo "customized" > $flag`
			`return`
			`fi`

1. copy ca to download directory if nedded 2.add IP to san 3.ignore harbor admin password and database password in subsequent boot 2016-11-17 11:49:15 +01:00			`if [ ! -e $ca_cert ] \|\| [ ! -e $cert ] \|\| [ ! -e $key ]`
generate self-signed certificate 2016-11-16 11:49:09 +01:00			`then`
1. copy ca to download directory if nedded 2.add IP to san 3.ignore harbor admin password and database password in subsequent boot 2016-11-17 11:49:15 +01:00			`echo "CA, Certificate or key file does not exist, will generate a self-signed certificate"`
generate self-signed certificate 2016-11-16 11:49:09 +01:00			`genCert`
			`return`
			`fi`

			`if [ ! -e $flag ]`
			`then`
			`echo "The file which records the way generating certificate does not exist, will generate a new self-signed certificate"`
			`genCert`
			`return`
			`fi`

			`if [ ! $(cat $flag) = "self-signed" ]`
			`then`
			`echo "The way generating certificate changed, will generate a new self-signed certificate"`
			`genCert`
			`return`
			`fi`

			`cn=$(openssl x509 -noout -subject -in $cert \| sed -n '/^subject/s/^.*CN=//p') \|\| true`
			`if [ "$hostname" != "$cn" ]`
			`then`
			`echo "Common name changed: $cn -> $hostname , will generate a new self-signed certificate"`
			`genCert`
			`return`
			`fi`
1. copy ca to download directory if nedded 2.add IP to san 3.ignore harbor admin password and database password in subsequent boot 2016-11-17 11:49:15 +01:00
			`ip_in_cert=$(openssl x509 -noout -text -in $cert \| sed -n '/IP Address:/s/.*IP Address://p') \|\| true`
			`if [ "$ip_addr" != "$ip_in_cert" ]`
			`then`
			`echo "IP changed: $ip_in_cert -> $ip_addr , will generate a new self-signed certificate"`
			`genCert`
			`return`
			`fi`

			`echo "Use the existing CA, certificate and key file"`
			`echo "Copy CA certificate to $ca_download_dir"`
			`cp $ca_cert $ca_download_dir/`
generate self-signed certificate 2016-11-16 11:49:09 +01:00			`}`

ova installation scripts 2016-10-25 12:09:54 +02:00			`#Modify hostname`
fixes #995, fixes #1047 2016-11-10 09:18:13 +01:00			`hostname=$(hostname --fqdn) \|\| true`
1. copy ca to download directory if nedded 2.add IP to san 3.ignore harbor admin password and database password in subsequent boot 2016-11-17 11:49:15 +01:00			`ip_addr=$(ip addr show eth0\|grep "inet "\|tr -s ' '\|cut -d ' ' -f 3\|cut -d '/' -f 1)`
fixes #995, fixes #1047 2016-11-10 09:18:13 +01:00			`if [ -z "$hostname" ]`
ova installation scripts 2016-10-25 12:09:54 +02:00			`then`
1. copy ca to download directory if nedded 2.add IP to san 3.ignore harbor admin password and database password in subsequent boot 2016-11-17 11:49:15 +01:00			`hostname=$ip_addr`
fixes #995, fixes #1047 2016-11-10 09:18:13 +01:00			`fi`

			`if [ -n "$hostname" ]`
			`then`
			`echo "Read hostname/IP: [ hostname/IP - $hostname ]"`
1. copy ca to download directory if nedded 2.add IP to san 3.ignore harbor admin password and database password in subsequent boot 2016-11-17 11:49:15 +01:00			`configureHarborCfg hostname $hostname`
ova installation scripts 2016-10-25 12:09:54 +02:00			`else`
fixes #995, fixes #1047 2016-11-10 09:18:13 +01:00			`echo "Failed to get the hostname/IP"`
ova installation scripts 2016-10-25 12:09:54 +02:00			`exit 1`
			`fi`

			`#Handle http/https`
generate self-signed certificate 2016-11-16 11:49:09 +01:00			`echo "Read attribute using ovfenv: [ protocol ]"`
			`protocol=$(ovfenv -k protocol)`
			`if [ -z $protocol ]`
ova installation scripts 2016-10-25 12:09:54 +02:00			`then`
fixes #1002 2016-11-09 07:56:32 +01:00			`protocol=https`
generate self-signed certificate 2016-11-16 11:49:09 +01:00			`fi`

			`echo "Protocol: $protocol"`
1. copy ca to download directory if nedded 2.add IP to san 3.ignore harbor admin password and database password in subsequent boot 2016-11-17 11:49:15 +01:00			`configureHarborCfg ui_url_protocol $protocol`
generate self-signed certificate 2016-11-16 11:49:09 +01:00
			`if [ $protocol = "https" ]`
			`then`
			`secure`
ova installation scripts 2016-10-25 12:09:54 +02:00			`fi`

			`for attr in "${attrs[@]}"`
			`do`
			`echo "Read attribute using ovfenv: [ $attr ]"`
			`value=$(ovfenv -k $attr)`

			`#ldap search password and email password can be null`
			`if [ -n "$value" ] \|\| [ "$attr" = "ldap_search_pwd" ] \`
			`\|\| [ "$attr" = "email_password" ]`
			`then`
1. copy ca to download directory if nedded 2.add IP to san 3.ignore harbor admin password and database password in subsequent boot 2016-11-17 11:49:15 +01:00			`#if [ "$attr" = ldap_search_pwd ] \`
			`# \|\| [ "$attr" = email_password ]`
			`#then`
			`# bs=$(echo $value \| base64)`
			`# value={base64}$bs`
			`#fi`
			`configureHarborCfg $attr $value`
ova installation scripts 2016-10-25 12:09:54 +02:00			`fi`
			`done`