Enhance: Refactor the notary structure

1. Update notary template on docker-compose 2. automatic generate cert if not exist Signed-off-by: Qian Deng <dengq@vmware.com>
2024-09-27 21:12:42 +02:00 · 2019-03-18 10:14:00 +08:00 · 2019-03-18 10:14:00 +08:00 · 0c84751a10
commit 0c84751a10
parent 93af296eeb
7 changed files with 84 additions and 53 deletions
--- a/make/harbor.yml
+++ b/make/harbor.yml
@ -14,12 +14,6 @@ ui_url_protocol: https
 #Maximum number of job workers in job service  
 max_job_workers: 10

-#Determine whether or not to generate certificate for the registry's token.
-#If the value is on, the prepare script creates new root cert and private key 
-#for generating token to access the registry. If the value is off the default key/cert will be used.
-#This flag also controls the creation of the notary signer's cert.
-customize_crt: on
-
 # The default data volume
 data_volume: /data

--- a/make/photon/prepare/g.py
+++ b/make/photon/prepare/g.py
@ -13,6 +13,9 @@ config_dir = '/config'
 secret_dir = '/secret'
 secret_key_dir='/secret/keys'

+old_private_key_pem_path = Path('/config/core/private_key.pem')
+old_crt_path = Path('/config/registry/root.crt')
+
 private_key_pem_path = Path('/secret/core/private_key.pem')
 root_crt_path = Path('/secret/registry/root.crt')

--- a/make/photon/prepare/main.py
+++ b/make/photon/prepare/main.py
@ -16,7 +16,8 @@ from utils.chart import prepare_chartmuseum
 from utils.docker_compose import prepare_docker_compose
 from utils.nginx import prepare_nginx, nginx_confd_dir
 from g import (config_dir, config_file_path, core_cert_dir, private_key_pem_path, root_crt_path, 
-registry_custom_ca_bundle_storage_path, registry_custom_ca_bundle_storage_input_path, secret_key_dir)
+registry_custom_ca_bundle_storage_path, registry_custom_ca_bundle_storage_input_path, secret_key_dir,
+old_private_key_pem_path, old_crt_path)

 # Main function
@click.command()
@ -48,6 +49,8 @@ def main(conf, with_notary, with_clair, with_chartmuseum):
    prepare_ca(
        private_key_pem_path=private_key_pem_path,
        root_crt_path=root_crt_path,
+        old_private_key_pem_path=old_private_key_pem_path,
+        old_crt_path=old_crt_path,
        registry_custom_ca_bundle_config=registry_custom_ca_bundle_storage_input_path,
        registry_custom_ca_bundle_storage_path=registry_custom_ca_bundle_storage_path)

--- a/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja
+++ b/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja
@ -282,6 +282,8 @@ services:
    dns_search: .
    volumes:
      - ./common/config/notary:/etc/notary:z
+      - {{data_volume}}/secret/notary/notary-signer-ca.crt:/etc/notary/notary-signer-ca.crt:z
+      - {{data_volume}}/secret/registry/root.crt:/etc/notary/root.crt:z
    env_file:
      - ./common/config/notary/server_env
    depends_on:
@ -304,6 +306,8 @@ services:
    dns_search: .
    volumes:
      - ./common/config/notary:/etc/notary:z
+      - {{data_volume}}/secret/notary/notary-signer.crt:/etc/notary/notary-signer.crt:z
+      - {{data_volume}}/secret/notary/notary-signer.key:/etc/notary/notary-signer.key:z
    env_file:
      - ./common/config/notary/signer_env
    depends_on:
--- a/make/photon/prepare/utils/cert.py
+++ b/make/photon/prepare/utils/cert.py
@ -108,18 +108,25 @@ def openssl_installed():
 def prepare_ca(
    private_key_pem_path: Path,
    root_crt_path: Path,
+    old_private_key_pem_path: Path,
+    old_crt_path: Path,
    registry_custom_ca_bundle_config: Path,
    registry_custom_ca_bundle_storage_path: Path):
+    if not ( private_key_pem_path.exists() and root_crt_path.exists() ):
+        # From version 1.8 the cert storage path is changed
+        # if old key paris not exist create new ones
+        # if old key pairs exist in old place copy it to new place
+        if not (old_crt_path.exists() and old_private_key_pem_path.exists()):
+            private_key_pem_path.parent.mkdir(parents=True, exist_ok=True)
+            root_crt_path.parent.mkdir(parents=True, exist_ok=True)

-    if not (private_key_pem_path.exists() and root_crt_path.exists()):
+            empty_subj = "/"
+            create_root_cert(empty_subj, key_path=private_key_pem_path, cert_path=root_crt_path)
+            mark_file(private_key_pem_path)
+            mark_file(root_crt_path)
+        shutil.move(old_crt_path, root_crt_path)
+        shutil.move(old_private_key_pem_path, private_key_pem_path)

-        private_key_pem_path.parent.mkdir(parents=True, exist_ok=True)
-        root_crt_path.parent.mkdir(parents=True, exist_ok=True)
-
-        empty_subj = "/"
-        create_root_cert(empty_subj, key_path=private_key_pem_path, cert_path=root_crt_path)
-        mark_file(private_key_pem_path)
-        mark_file(root_crt_path)

    if not registry_custom_ca_bundle_storage_path.exists() and registry_custom_ca_bundle_config.exists():
        registry_custom_ca_bundle_storage_path.parent.mkdir(parents=True, exist_ok=True)
--- a/make/photon/prepare/utils/misc.py
+++ b/make/photon/prepare/utils/misc.py
@ -8,10 +8,10 @@ from g import DEFAULT_UID, DEFAULT_GID
 # To meet security requirement
 # By default it will change file mode to 0600, and make the owner of the file to 10000:10000
 def mark_file(path, mode=0o600, uid=DEFAULT_UID, gid=DEFAULT_GID):
-    # if mode > 0:
-    #     os.chmod(path, mode)
-    # if uid > 0 and gid > 0:
-    #     os.chown(path, uid, gid)
+    if mode > 0:
+        os.chmod(path, mode)
+    if uid > 0 and gid > 0:
+        os.chown(path, uid, gid)
    pass


--- a/make/photon/prepare/utils/notary.py
+++ b/make/photon/prepare/utils/notary.py
@ -1,4 +1,4 @@
-import os, shutil
+import os, shutil, pathlib
 from g import base_dir, templates_dir, config_dir, root_crt_path, secret_key_dir,DEFAULT_UID, DEFAULT_GID
 from .cert import openssl_installed, create_cert, create_root_cert, get_alias
 from .jinja import render_jinja
@ -21,36 +21,56 @@ notary_server_env_path = os.path.join(notary_config_dir, "server_env")

 def prepare_env_notary(customize_crt, nginx_config_dir):
    notary_config_dir = prepare_config_dir(config_dir, "notary")
-    if (customize_crt == 'on' or customize_crt == True)  and openssl_installed():
-        try:
-            temp_cert_dir = os.path.join('/tmp', "cert_tmp")
-            if not os.path.exists(temp_cert_dir):
-                os.makedirs(temp_cert_dir)
-            ca_subj = "/C=US/ST=California/L=Palo Alto/O=GoHarbor/OU=Harbor/CN=Self-signed by GoHarbor"
-            cert_subj = "/C=US/ST=California/L=Palo Alto/O=GoHarbor/OU=Harbor/CN=notarysigner"
-            signer_ca_cert = os.path.join(temp_cert_dir, "notary-signer-ca.crt")
-            signer_ca_key = os.path.join(temp_cert_dir, "notary-signer-ca.key")
-            signer_cert_path = os.path.join(temp_cert_dir, "notary-signer.crt")
-            signer_key_path = os.path.join(temp_cert_dir, "notary-signer.key")
-            create_root_cert(ca_subj, key_path=signer_ca_key, cert_path=signer_ca_cert)
-            create_cert(cert_subj, signer_ca_key, signer_ca_cert, key_path=signer_key_path, cert_path=signer_cert_path)
-            print("Copying certs for notary signer")
-            shutil.copy2(signer_cert_path, notary_config_dir)
-            shutil.copy2(signer_key_path, notary_config_dir)
-            shutil.copy2(signer_ca_cert, notary_config_dir)
-        finally:
-            srl_tmp = os.path.join(os.getcwd(), ".srl")
-            if os.path.isfile(srl_tmp):
-                os.remove(srl_tmp)
-            if os.path.isdir(temp_cert_dir):
-                shutil.rmtree(temp_cert_dir, True)
-    else:
-        print("Copying certs for notary signer")
-        shutil.copy2(os.path.join(notary_template_dir, "notary-signer.crt"), notary_config_dir)
-        shutil.copy2(os.path.join(notary_template_dir, "notary-signer.key"), notary_config_dir)
-        shutil.copy2(os.path.join(notary_template_dir, "notary-signer-ca.crt"), notary_config_dir)
+    old_signer_cert_secret_path = pathlib.Path(os.path.join(config_dir, 'notary-signer.crt'))
+    old_signer_key_secret_path = pathlib.Path(os.path.join(config_dir, 'notary-signer.key'))
+    old_signer_ca_cert_secret_path = pathlib.Path(os.path.join(config_dir, 'notary-signer-ca.crt'))

-    shutil.copy2(root_crt_path, notary_config_dir)
+    notary_secret_dir = prepare_config_dir('/secret/notary')
+    signer_cert_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer.crt'))
+    signer_key_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer.key'))
+    signer_ca_cert_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer-ca.crt'))
+    notary_root_cert_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'root.crt'))
+
+
+    # In version 1.8 the secret path changed
+    # If cert, key , ca all are exist in new place don't do anything
+    if not(
+        signer_cert_secret_path.exists() and
+        signer_key_secret_path.exists() and
+        signer_ca_cert_secret_path.exists()
+        ):
+        # If the certs are exist in old place, move it to new place
+        if old_signer_ca_cert_secret_path.exists() and old_signer_cert_secret_path.exists() and old_signer_key_secret_path.exists():
+            print("Copying certs for notary signer")
+            shutil.copy2(old_signer_ca_cert_secret_path, signer_ca_cert_secret_path)
+            shutil.copy2(old_signer_key_secret_path, signer_key_secret_path)
+            shutil.copy2(old_signer_cert_secret_path, signer_cert_secret_path)
+        # If certs neither exist in new place nor in the old place, create it and move it to new place
+        else:
+            try:
+                temp_cert_dir = os.path.join('/tmp', "cert_tmp")
+                if not os.path.exists(temp_cert_dir):
+                    os.makedirs(temp_cert_dir)
+                ca_subj = "/C=US/ST=California/L=Palo Alto/O=GoHarbor/OU=Harbor/CN=Self-signed by GoHarbor"
+                cert_subj = "/C=US/ST=California/L=Palo Alto/O=GoHarbor/OU=Harbor/CN=notarysigner"
+                signer_ca_cert = os.path.join(temp_cert_dir, "notary-signer-ca.crt")
+                signer_ca_key = os.path.join(temp_cert_dir, "notary-signer-ca.key")
+                signer_cert_path = os.path.join(temp_cert_dir, "notary-signer.crt")
+                signer_key_path = os.path.join(temp_cert_dir, "notary-signer.key")
+                create_root_cert(ca_subj, key_path=signer_ca_key, cert_path=signer_ca_cert)
+                create_cert(cert_subj, signer_ca_key, signer_ca_cert, key_path=signer_key_path, cert_path=signer_cert_path)
+                print("Copying certs for notary signer")
+                shutil.copy2(signer_cert_path, signer_cert_secret_path)
+                shutil.copy2(signer_key_path, signer_key_secret_path)
+                shutil.copy2(signer_ca_cert, signer_ca_cert_secret_path)
+            finally:
+                srl_tmp = os.path.join(os.getcwd(), ".srl")
+                if os.path.isfile(srl_tmp):
+                    os.remove(srl_tmp)
+                if os.path.isdir(temp_cert_dir):
+                    shutil.rmtree(temp_cert_dir, True)
+
+    # copy server_env to notary config
    shutil.copy2(
        os.path.join(notary_template_dir, "server_env.jinja"),
        os.path.join(notary_config_dir, "server_env"))
@ -60,10 +80,10 @@ def prepare_env_notary(customize_crt, nginx_config_dir):
    notary_server_nginx_config = os.path.join(nginx_config_dir, "notary.server.conf")
    shutil.copy2(notary_nginx_upstream_template_conf, notary_server_nginx_config)

-    mark_file(os.path.join(notary_config_dir, "notary-signer.crt"))
-    mark_file(os.path.join(notary_config_dir, "notary-signer.key"))
-    mark_file(os.path.join(notary_config_dir, "notary-signer-ca.crt"))
-    mark_file(os.path.join(notary_config_dir, "root.crt"))
+    mark_file(os.path.join(notary_secret_dir, "notary-signer.crt"))
+    mark_file(os.path.join(notary_secret_dir, "notary-signer.key"))
+    mark_file(os.path.join(notary_secret_dir, "notary-signer-ca.crt"))
+    mark_file(os.path.join(notary_secret_dir, "root.crt"))

    # print("Copying sql file for notary DB")
    # if os.path.exists(os.path.join(notary_config_dir, "postgresql-initdb.d")):