mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-23 00:57:44 +01:00
Enhance: Refactor the notary structure
1. Update notary template on docker-compose 2. automatic generate cert if not exist Signed-off-by: Qian Deng <dengq@vmware.com>
This commit is contained in:
parent
93af296eeb
commit
0c84751a10
@ -14,12 +14,6 @@ ui_url_protocol: https
|
||||
#Maximum number of job workers in job service
|
||||
max_job_workers: 10
|
||||
|
||||
#Determine whether or not to generate certificate for the registry's token.
|
||||
#If the value is on, the prepare script creates new root cert and private key
|
||||
#for generating token to access the registry. If the value is off the default key/cert will be used.
|
||||
#This flag also controls the creation of the notary signer's cert.
|
||||
customize_crt: on
|
||||
|
||||
# The default data volume
|
||||
data_volume: /data
|
||||
|
||||
|
@ -13,6 +13,9 @@ config_dir = '/config'
|
||||
secret_dir = '/secret'
|
||||
secret_key_dir='/secret/keys'
|
||||
|
||||
old_private_key_pem_path = Path('/config/core/private_key.pem')
|
||||
old_crt_path = Path('/config/registry/root.crt')
|
||||
|
||||
private_key_pem_path = Path('/secret/core/private_key.pem')
|
||||
root_crt_path = Path('/secret/registry/root.crt')
|
||||
|
||||
|
@ -16,7 +16,8 @@ from utils.chart import prepare_chartmuseum
|
||||
from utils.docker_compose import prepare_docker_compose
|
||||
from utils.nginx import prepare_nginx, nginx_confd_dir
|
||||
from g import (config_dir, config_file_path, core_cert_dir, private_key_pem_path, root_crt_path,
|
||||
registry_custom_ca_bundle_storage_path, registry_custom_ca_bundle_storage_input_path, secret_key_dir)
|
||||
registry_custom_ca_bundle_storage_path, registry_custom_ca_bundle_storage_input_path, secret_key_dir,
|
||||
old_private_key_pem_path, old_crt_path)
|
||||
|
||||
# Main function
|
||||
@click.command()
|
||||
@ -48,6 +49,8 @@ def main(conf, with_notary, with_clair, with_chartmuseum):
|
||||
prepare_ca(
|
||||
private_key_pem_path=private_key_pem_path,
|
||||
root_crt_path=root_crt_path,
|
||||
old_private_key_pem_path=old_private_key_pem_path,
|
||||
old_crt_path=old_crt_path,
|
||||
registry_custom_ca_bundle_config=registry_custom_ca_bundle_storage_input_path,
|
||||
registry_custom_ca_bundle_storage_path=registry_custom_ca_bundle_storage_path)
|
||||
|
||||
|
@ -282,6 +282,8 @@ services:
|
||||
dns_search: .
|
||||
volumes:
|
||||
- ./common/config/notary:/etc/notary:z
|
||||
- {{data_volume}}/secret/notary/notary-signer-ca.crt:/etc/notary/notary-signer-ca.crt:z
|
||||
- {{data_volume}}/secret/registry/root.crt:/etc/notary/root.crt:z
|
||||
env_file:
|
||||
- ./common/config/notary/server_env
|
||||
depends_on:
|
||||
@ -304,6 +306,8 @@ services:
|
||||
dns_search: .
|
||||
volumes:
|
||||
- ./common/config/notary:/etc/notary:z
|
||||
- {{data_volume}}/secret/notary/notary-signer.crt:/etc/notary/notary-signer.crt:z
|
||||
- {{data_volume}}/secret/notary/notary-signer.key:/etc/notary/notary-signer.key:z
|
||||
env_file:
|
||||
- ./common/config/notary/signer_env
|
||||
depends_on:
|
||||
|
@ -108,18 +108,25 @@ def openssl_installed():
|
||||
def prepare_ca(
|
||||
private_key_pem_path: Path,
|
||||
root_crt_path: Path,
|
||||
old_private_key_pem_path: Path,
|
||||
old_crt_path: Path,
|
||||
registry_custom_ca_bundle_config: Path,
|
||||
registry_custom_ca_bundle_storage_path: Path):
|
||||
if not ( private_key_pem_path.exists() and root_crt_path.exists() ):
|
||||
# From version 1.8 the cert storage path is changed
|
||||
# if old key paris not exist create new ones
|
||||
# if old key pairs exist in old place copy it to new place
|
||||
if not (old_crt_path.exists() and old_private_key_pem_path.exists()):
|
||||
private_key_pem_path.parent.mkdir(parents=True, exist_ok=True)
|
||||
root_crt_path.parent.mkdir(parents=True, exist_ok=True)
|
||||
|
||||
if not (private_key_pem_path.exists() and root_crt_path.exists()):
|
||||
empty_subj = "/"
|
||||
create_root_cert(empty_subj, key_path=private_key_pem_path, cert_path=root_crt_path)
|
||||
mark_file(private_key_pem_path)
|
||||
mark_file(root_crt_path)
|
||||
shutil.move(old_crt_path, root_crt_path)
|
||||
shutil.move(old_private_key_pem_path, private_key_pem_path)
|
||||
|
||||
private_key_pem_path.parent.mkdir(parents=True, exist_ok=True)
|
||||
root_crt_path.parent.mkdir(parents=True, exist_ok=True)
|
||||
|
||||
empty_subj = "/"
|
||||
create_root_cert(empty_subj, key_path=private_key_pem_path, cert_path=root_crt_path)
|
||||
mark_file(private_key_pem_path)
|
||||
mark_file(root_crt_path)
|
||||
|
||||
if not registry_custom_ca_bundle_storage_path.exists() and registry_custom_ca_bundle_config.exists():
|
||||
registry_custom_ca_bundle_storage_path.parent.mkdir(parents=True, exist_ok=True)
|
||||
|
@ -8,10 +8,10 @@ from g import DEFAULT_UID, DEFAULT_GID
|
||||
# To meet security requirement
|
||||
# By default it will change file mode to 0600, and make the owner of the file to 10000:10000
|
||||
def mark_file(path, mode=0o600, uid=DEFAULT_UID, gid=DEFAULT_GID):
|
||||
# if mode > 0:
|
||||
# os.chmod(path, mode)
|
||||
# if uid > 0 and gid > 0:
|
||||
# os.chown(path, uid, gid)
|
||||
if mode > 0:
|
||||
os.chmod(path, mode)
|
||||
if uid > 0 and gid > 0:
|
||||
os.chown(path, uid, gid)
|
||||
pass
|
||||
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
import os, shutil
|
||||
import os, shutil, pathlib
|
||||
from g import base_dir, templates_dir, config_dir, root_crt_path, secret_key_dir,DEFAULT_UID, DEFAULT_GID
|
||||
from .cert import openssl_installed, create_cert, create_root_cert, get_alias
|
||||
from .jinja import render_jinja
|
||||
@ -21,36 +21,56 @@ notary_server_env_path = os.path.join(notary_config_dir, "server_env")
|
||||
|
||||
def prepare_env_notary(customize_crt, nginx_config_dir):
|
||||
notary_config_dir = prepare_config_dir(config_dir, "notary")
|
||||
if (customize_crt == 'on' or customize_crt == True) and openssl_installed():
|
||||
try:
|
||||
temp_cert_dir = os.path.join('/tmp', "cert_tmp")
|
||||
if not os.path.exists(temp_cert_dir):
|
||||
os.makedirs(temp_cert_dir)
|
||||
ca_subj = "/C=US/ST=California/L=Palo Alto/O=GoHarbor/OU=Harbor/CN=Self-signed by GoHarbor"
|
||||
cert_subj = "/C=US/ST=California/L=Palo Alto/O=GoHarbor/OU=Harbor/CN=notarysigner"
|
||||
signer_ca_cert = os.path.join(temp_cert_dir, "notary-signer-ca.crt")
|
||||
signer_ca_key = os.path.join(temp_cert_dir, "notary-signer-ca.key")
|
||||
signer_cert_path = os.path.join(temp_cert_dir, "notary-signer.crt")
|
||||
signer_key_path = os.path.join(temp_cert_dir, "notary-signer.key")
|
||||
create_root_cert(ca_subj, key_path=signer_ca_key, cert_path=signer_ca_cert)
|
||||
create_cert(cert_subj, signer_ca_key, signer_ca_cert, key_path=signer_key_path, cert_path=signer_cert_path)
|
||||
print("Copying certs for notary signer")
|
||||
shutil.copy2(signer_cert_path, notary_config_dir)
|
||||
shutil.copy2(signer_key_path, notary_config_dir)
|
||||
shutil.copy2(signer_ca_cert, notary_config_dir)
|
||||
finally:
|
||||
srl_tmp = os.path.join(os.getcwd(), ".srl")
|
||||
if os.path.isfile(srl_tmp):
|
||||
os.remove(srl_tmp)
|
||||
if os.path.isdir(temp_cert_dir):
|
||||
shutil.rmtree(temp_cert_dir, True)
|
||||
else:
|
||||
print("Copying certs for notary signer")
|
||||
shutil.copy2(os.path.join(notary_template_dir, "notary-signer.crt"), notary_config_dir)
|
||||
shutil.copy2(os.path.join(notary_template_dir, "notary-signer.key"), notary_config_dir)
|
||||
shutil.copy2(os.path.join(notary_template_dir, "notary-signer-ca.crt"), notary_config_dir)
|
||||
old_signer_cert_secret_path = pathlib.Path(os.path.join(config_dir, 'notary-signer.crt'))
|
||||
old_signer_key_secret_path = pathlib.Path(os.path.join(config_dir, 'notary-signer.key'))
|
||||
old_signer_ca_cert_secret_path = pathlib.Path(os.path.join(config_dir, 'notary-signer-ca.crt'))
|
||||
|
||||
shutil.copy2(root_crt_path, notary_config_dir)
|
||||
notary_secret_dir = prepare_config_dir('/secret/notary')
|
||||
signer_cert_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer.crt'))
|
||||
signer_key_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer.key'))
|
||||
signer_ca_cert_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer-ca.crt'))
|
||||
notary_root_cert_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'root.crt'))
|
||||
|
||||
|
||||
# In version 1.8 the secret path changed
|
||||
# If cert, key , ca all are exist in new place don't do anything
|
||||
if not(
|
||||
signer_cert_secret_path.exists() and
|
||||
signer_key_secret_path.exists() and
|
||||
signer_ca_cert_secret_path.exists()
|
||||
):
|
||||
# If the certs are exist in old place, move it to new place
|
||||
if old_signer_ca_cert_secret_path.exists() and old_signer_cert_secret_path.exists() and old_signer_key_secret_path.exists():
|
||||
print("Copying certs for notary signer")
|
||||
shutil.copy2(old_signer_ca_cert_secret_path, signer_ca_cert_secret_path)
|
||||
shutil.copy2(old_signer_key_secret_path, signer_key_secret_path)
|
||||
shutil.copy2(old_signer_cert_secret_path, signer_cert_secret_path)
|
||||
# If certs neither exist in new place nor in the old place, create it and move it to new place
|
||||
else:
|
||||
try:
|
||||
temp_cert_dir = os.path.join('/tmp', "cert_tmp")
|
||||
if not os.path.exists(temp_cert_dir):
|
||||
os.makedirs(temp_cert_dir)
|
||||
ca_subj = "/C=US/ST=California/L=Palo Alto/O=GoHarbor/OU=Harbor/CN=Self-signed by GoHarbor"
|
||||
cert_subj = "/C=US/ST=California/L=Palo Alto/O=GoHarbor/OU=Harbor/CN=notarysigner"
|
||||
signer_ca_cert = os.path.join(temp_cert_dir, "notary-signer-ca.crt")
|
||||
signer_ca_key = os.path.join(temp_cert_dir, "notary-signer-ca.key")
|
||||
signer_cert_path = os.path.join(temp_cert_dir, "notary-signer.crt")
|
||||
signer_key_path = os.path.join(temp_cert_dir, "notary-signer.key")
|
||||
create_root_cert(ca_subj, key_path=signer_ca_key, cert_path=signer_ca_cert)
|
||||
create_cert(cert_subj, signer_ca_key, signer_ca_cert, key_path=signer_key_path, cert_path=signer_cert_path)
|
||||
print("Copying certs for notary signer")
|
||||
shutil.copy2(signer_cert_path, signer_cert_secret_path)
|
||||
shutil.copy2(signer_key_path, signer_key_secret_path)
|
||||
shutil.copy2(signer_ca_cert, signer_ca_cert_secret_path)
|
||||
finally:
|
||||
srl_tmp = os.path.join(os.getcwd(), ".srl")
|
||||
if os.path.isfile(srl_tmp):
|
||||
os.remove(srl_tmp)
|
||||
if os.path.isdir(temp_cert_dir):
|
||||
shutil.rmtree(temp_cert_dir, True)
|
||||
|
||||
# copy server_env to notary config
|
||||
shutil.copy2(
|
||||
os.path.join(notary_template_dir, "server_env.jinja"),
|
||||
os.path.join(notary_config_dir, "server_env"))
|
||||
@ -60,10 +80,10 @@ def prepare_env_notary(customize_crt, nginx_config_dir):
|
||||
notary_server_nginx_config = os.path.join(nginx_config_dir, "notary.server.conf")
|
||||
shutil.copy2(notary_nginx_upstream_template_conf, notary_server_nginx_config)
|
||||
|
||||
mark_file(os.path.join(notary_config_dir, "notary-signer.crt"))
|
||||
mark_file(os.path.join(notary_config_dir, "notary-signer.key"))
|
||||
mark_file(os.path.join(notary_config_dir, "notary-signer-ca.crt"))
|
||||
mark_file(os.path.join(notary_config_dir, "root.crt"))
|
||||
mark_file(os.path.join(notary_secret_dir, "notary-signer.crt"))
|
||||
mark_file(os.path.join(notary_secret_dir, "notary-signer.key"))
|
||||
mark_file(os.path.join(notary_secret_dir, "notary-signer-ca.crt"))
|
||||
mark_file(os.path.join(notary_secret_dir, "root.crt"))
|
||||
|
||||
# print("Copying sql file for notary DB")
|
||||
# if os.path.exists(os.path.join(notary_config_dir, "postgresql-initdb.d")):
|
||||
|
Loading…
Reference in New Issue
Block a user