mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-22 18:25:56 +01:00
Enhance: Refactor the notary structure
1. Update notary template on docker-compose 2. automatic generate cert if not exist Signed-off-by: Qian Deng <dengq@vmware.com>
This commit is contained in:
parent
93af296eeb
commit
0c84751a10
@ -14,12 +14,6 @@ ui_url_protocol: https
|
|||||||
#Maximum number of job workers in job service
|
#Maximum number of job workers in job service
|
||||||
max_job_workers: 10
|
max_job_workers: 10
|
||||||
|
|
||||||
#Determine whether or not to generate certificate for the registry's token.
|
|
||||||
#If the value is on, the prepare script creates new root cert and private key
|
|
||||||
#for generating token to access the registry. If the value is off the default key/cert will be used.
|
|
||||||
#This flag also controls the creation of the notary signer's cert.
|
|
||||||
customize_crt: on
|
|
||||||
|
|
||||||
# The default data volume
|
# The default data volume
|
||||||
data_volume: /data
|
data_volume: /data
|
||||||
|
|
||||||
|
@ -13,6 +13,9 @@ config_dir = '/config'
|
|||||||
secret_dir = '/secret'
|
secret_dir = '/secret'
|
||||||
secret_key_dir='/secret/keys'
|
secret_key_dir='/secret/keys'
|
||||||
|
|
||||||
|
old_private_key_pem_path = Path('/config/core/private_key.pem')
|
||||||
|
old_crt_path = Path('/config/registry/root.crt')
|
||||||
|
|
||||||
private_key_pem_path = Path('/secret/core/private_key.pem')
|
private_key_pem_path = Path('/secret/core/private_key.pem')
|
||||||
root_crt_path = Path('/secret/registry/root.crt')
|
root_crt_path = Path('/secret/registry/root.crt')
|
||||||
|
|
||||||
|
@ -16,7 +16,8 @@ from utils.chart import prepare_chartmuseum
|
|||||||
from utils.docker_compose import prepare_docker_compose
|
from utils.docker_compose import prepare_docker_compose
|
||||||
from utils.nginx import prepare_nginx, nginx_confd_dir
|
from utils.nginx import prepare_nginx, nginx_confd_dir
|
||||||
from g import (config_dir, config_file_path, core_cert_dir, private_key_pem_path, root_crt_path,
|
from g import (config_dir, config_file_path, core_cert_dir, private_key_pem_path, root_crt_path,
|
||||||
registry_custom_ca_bundle_storage_path, registry_custom_ca_bundle_storage_input_path, secret_key_dir)
|
registry_custom_ca_bundle_storage_path, registry_custom_ca_bundle_storage_input_path, secret_key_dir,
|
||||||
|
old_private_key_pem_path, old_crt_path)
|
||||||
|
|
||||||
# Main function
|
# Main function
|
||||||
@click.command()
|
@click.command()
|
||||||
@ -48,6 +49,8 @@ def main(conf, with_notary, with_clair, with_chartmuseum):
|
|||||||
prepare_ca(
|
prepare_ca(
|
||||||
private_key_pem_path=private_key_pem_path,
|
private_key_pem_path=private_key_pem_path,
|
||||||
root_crt_path=root_crt_path,
|
root_crt_path=root_crt_path,
|
||||||
|
old_private_key_pem_path=old_private_key_pem_path,
|
||||||
|
old_crt_path=old_crt_path,
|
||||||
registry_custom_ca_bundle_config=registry_custom_ca_bundle_storage_input_path,
|
registry_custom_ca_bundle_config=registry_custom_ca_bundle_storage_input_path,
|
||||||
registry_custom_ca_bundle_storage_path=registry_custom_ca_bundle_storage_path)
|
registry_custom_ca_bundle_storage_path=registry_custom_ca_bundle_storage_path)
|
||||||
|
|
||||||
|
@ -282,6 +282,8 @@ services:
|
|||||||
dns_search: .
|
dns_search: .
|
||||||
volumes:
|
volumes:
|
||||||
- ./common/config/notary:/etc/notary:z
|
- ./common/config/notary:/etc/notary:z
|
||||||
|
- {{data_volume}}/secret/notary/notary-signer-ca.crt:/etc/notary/notary-signer-ca.crt:z
|
||||||
|
- {{data_volume}}/secret/registry/root.crt:/etc/notary/root.crt:z
|
||||||
env_file:
|
env_file:
|
||||||
- ./common/config/notary/server_env
|
- ./common/config/notary/server_env
|
||||||
depends_on:
|
depends_on:
|
||||||
@ -304,6 +306,8 @@ services:
|
|||||||
dns_search: .
|
dns_search: .
|
||||||
volumes:
|
volumes:
|
||||||
- ./common/config/notary:/etc/notary:z
|
- ./common/config/notary:/etc/notary:z
|
||||||
|
- {{data_volume}}/secret/notary/notary-signer.crt:/etc/notary/notary-signer.crt:z
|
||||||
|
- {{data_volume}}/secret/notary/notary-signer.key:/etc/notary/notary-signer.key:z
|
||||||
env_file:
|
env_file:
|
||||||
- ./common/config/notary/signer_env
|
- ./common/config/notary/signer_env
|
||||||
depends_on:
|
depends_on:
|
||||||
|
@ -108,18 +108,25 @@ def openssl_installed():
|
|||||||
def prepare_ca(
|
def prepare_ca(
|
||||||
private_key_pem_path: Path,
|
private_key_pem_path: Path,
|
||||||
root_crt_path: Path,
|
root_crt_path: Path,
|
||||||
|
old_private_key_pem_path: Path,
|
||||||
|
old_crt_path: Path,
|
||||||
registry_custom_ca_bundle_config: Path,
|
registry_custom_ca_bundle_config: Path,
|
||||||
registry_custom_ca_bundle_storage_path: Path):
|
registry_custom_ca_bundle_storage_path: Path):
|
||||||
|
if not ( private_key_pem_path.exists() and root_crt_path.exists() ):
|
||||||
|
# From version 1.8 the cert storage path is changed
|
||||||
|
# if old key paris not exist create new ones
|
||||||
|
# if old key pairs exist in old place copy it to new place
|
||||||
|
if not (old_crt_path.exists() and old_private_key_pem_path.exists()):
|
||||||
|
private_key_pem_path.parent.mkdir(parents=True, exist_ok=True)
|
||||||
|
root_crt_path.parent.mkdir(parents=True, exist_ok=True)
|
||||||
|
|
||||||
if not (private_key_pem_path.exists() and root_crt_path.exists()):
|
empty_subj = "/"
|
||||||
|
create_root_cert(empty_subj, key_path=private_key_pem_path, cert_path=root_crt_path)
|
||||||
|
mark_file(private_key_pem_path)
|
||||||
|
mark_file(root_crt_path)
|
||||||
|
shutil.move(old_crt_path, root_crt_path)
|
||||||
|
shutil.move(old_private_key_pem_path, private_key_pem_path)
|
||||||
|
|
||||||
private_key_pem_path.parent.mkdir(parents=True, exist_ok=True)
|
|
||||||
root_crt_path.parent.mkdir(parents=True, exist_ok=True)
|
|
||||||
|
|
||||||
empty_subj = "/"
|
|
||||||
create_root_cert(empty_subj, key_path=private_key_pem_path, cert_path=root_crt_path)
|
|
||||||
mark_file(private_key_pem_path)
|
|
||||||
mark_file(root_crt_path)
|
|
||||||
|
|
||||||
if not registry_custom_ca_bundle_storage_path.exists() and registry_custom_ca_bundle_config.exists():
|
if not registry_custom_ca_bundle_storage_path.exists() and registry_custom_ca_bundle_config.exists():
|
||||||
registry_custom_ca_bundle_storage_path.parent.mkdir(parents=True, exist_ok=True)
|
registry_custom_ca_bundle_storage_path.parent.mkdir(parents=True, exist_ok=True)
|
||||||
|
@ -8,10 +8,10 @@ from g import DEFAULT_UID, DEFAULT_GID
|
|||||||
# To meet security requirement
|
# To meet security requirement
|
||||||
# By default it will change file mode to 0600, and make the owner of the file to 10000:10000
|
# By default it will change file mode to 0600, and make the owner of the file to 10000:10000
|
||||||
def mark_file(path, mode=0o600, uid=DEFAULT_UID, gid=DEFAULT_GID):
|
def mark_file(path, mode=0o600, uid=DEFAULT_UID, gid=DEFAULT_GID):
|
||||||
# if mode > 0:
|
if mode > 0:
|
||||||
# os.chmod(path, mode)
|
os.chmod(path, mode)
|
||||||
# if uid > 0 and gid > 0:
|
if uid > 0 and gid > 0:
|
||||||
# os.chown(path, uid, gid)
|
os.chown(path, uid, gid)
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
import os, shutil
|
import os, shutil, pathlib
|
||||||
from g import base_dir, templates_dir, config_dir, root_crt_path, secret_key_dir,DEFAULT_UID, DEFAULT_GID
|
from g import base_dir, templates_dir, config_dir, root_crt_path, secret_key_dir,DEFAULT_UID, DEFAULT_GID
|
||||||
from .cert import openssl_installed, create_cert, create_root_cert, get_alias
|
from .cert import openssl_installed, create_cert, create_root_cert, get_alias
|
||||||
from .jinja import render_jinja
|
from .jinja import render_jinja
|
||||||
@ -21,36 +21,56 @@ notary_server_env_path = os.path.join(notary_config_dir, "server_env")
|
|||||||
|
|
||||||
def prepare_env_notary(customize_crt, nginx_config_dir):
|
def prepare_env_notary(customize_crt, nginx_config_dir):
|
||||||
notary_config_dir = prepare_config_dir(config_dir, "notary")
|
notary_config_dir = prepare_config_dir(config_dir, "notary")
|
||||||
if (customize_crt == 'on' or customize_crt == True) and openssl_installed():
|
old_signer_cert_secret_path = pathlib.Path(os.path.join(config_dir, 'notary-signer.crt'))
|
||||||
try:
|
old_signer_key_secret_path = pathlib.Path(os.path.join(config_dir, 'notary-signer.key'))
|
||||||
temp_cert_dir = os.path.join('/tmp', "cert_tmp")
|
old_signer_ca_cert_secret_path = pathlib.Path(os.path.join(config_dir, 'notary-signer-ca.crt'))
|
||||||
if not os.path.exists(temp_cert_dir):
|
|
||||||
os.makedirs(temp_cert_dir)
|
|
||||||
ca_subj = "/C=US/ST=California/L=Palo Alto/O=GoHarbor/OU=Harbor/CN=Self-signed by GoHarbor"
|
|
||||||
cert_subj = "/C=US/ST=California/L=Palo Alto/O=GoHarbor/OU=Harbor/CN=notarysigner"
|
|
||||||
signer_ca_cert = os.path.join(temp_cert_dir, "notary-signer-ca.crt")
|
|
||||||
signer_ca_key = os.path.join(temp_cert_dir, "notary-signer-ca.key")
|
|
||||||
signer_cert_path = os.path.join(temp_cert_dir, "notary-signer.crt")
|
|
||||||
signer_key_path = os.path.join(temp_cert_dir, "notary-signer.key")
|
|
||||||
create_root_cert(ca_subj, key_path=signer_ca_key, cert_path=signer_ca_cert)
|
|
||||||
create_cert(cert_subj, signer_ca_key, signer_ca_cert, key_path=signer_key_path, cert_path=signer_cert_path)
|
|
||||||
print("Copying certs for notary signer")
|
|
||||||
shutil.copy2(signer_cert_path, notary_config_dir)
|
|
||||||
shutil.copy2(signer_key_path, notary_config_dir)
|
|
||||||
shutil.copy2(signer_ca_cert, notary_config_dir)
|
|
||||||
finally:
|
|
||||||
srl_tmp = os.path.join(os.getcwd(), ".srl")
|
|
||||||
if os.path.isfile(srl_tmp):
|
|
||||||
os.remove(srl_tmp)
|
|
||||||
if os.path.isdir(temp_cert_dir):
|
|
||||||
shutil.rmtree(temp_cert_dir, True)
|
|
||||||
else:
|
|
||||||
print("Copying certs for notary signer")
|
|
||||||
shutil.copy2(os.path.join(notary_template_dir, "notary-signer.crt"), notary_config_dir)
|
|
||||||
shutil.copy2(os.path.join(notary_template_dir, "notary-signer.key"), notary_config_dir)
|
|
||||||
shutil.copy2(os.path.join(notary_template_dir, "notary-signer-ca.crt"), notary_config_dir)
|
|
||||||
|
|
||||||
shutil.copy2(root_crt_path, notary_config_dir)
|
notary_secret_dir = prepare_config_dir('/secret/notary')
|
||||||
|
signer_cert_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer.crt'))
|
||||||
|
signer_key_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer.key'))
|
||||||
|
signer_ca_cert_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer-ca.crt'))
|
||||||
|
notary_root_cert_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'root.crt'))
|
||||||
|
|
||||||
|
|
||||||
|
# In version 1.8 the secret path changed
|
||||||
|
# If cert, key , ca all are exist in new place don't do anything
|
||||||
|
if not(
|
||||||
|
signer_cert_secret_path.exists() and
|
||||||
|
signer_key_secret_path.exists() and
|
||||||
|
signer_ca_cert_secret_path.exists()
|
||||||
|
):
|
||||||
|
# If the certs are exist in old place, move it to new place
|
||||||
|
if old_signer_ca_cert_secret_path.exists() and old_signer_cert_secret_path.exists() and old_signer_key_secret_path.exists():
|
||||||
|
print("Copying certs for notary signer")
|
||||||
|
shutil.copy2(old_signer_ca_cert_secret_path, signer_ca_cert_secret_path)
|
||||||
|
shutil.copy2(old_signer_key_secret_path, signer_key_secret_path)
|
||||||
|
shutil.copy2(old_signer_cert_secret_path, signer_cert_secret_path)
|
||||||
|
# If certs neither exist in new place nor in the old place, create it and move it to new place
|
||||||
|
else:
|
||||||
|
try:
|
||||||
|
temp_cert_dir = os.path.join('/tmp', "cert_tmp")
|
||||||
|
if not os.path.exists(temp_cert_dir):
|
||||||
|
os.makedirs(temp_cert_dir)
|
||||||
|
ca_subj = "/C=US/ST=California/L=Palo Alto/O=GoHarbor/OU=Harbor/CN=Self-signed by GoHarbor"
|
||||||
|
cert_subj = "/C=US/ST=California/L=Palo Alto/O=GoHarbor/OU=Harbor/CN=notarysigner"
|
||||||
|
signer_ca_cert = os.path.join(temp_cert_dir, "notary-signer-ca.crt")
|
||||||
|
signer_ca_key = os.path.join(temp_cert_dir, "notary-signer-ca.key")
|
||||||
|
signer_cert_path = os.path.join(temp_cert_dir, "notary-signer.crt")
|
||||||
|
signer_key_path = os.path.join(temp_cert_dir, "notary-signer.key")
|
||||||
|
create_root_cert(ca_subj, key_path=signer_ca_key, cert_path=signer_ca_cert)
|
||||||
|
create_cert(cert_subj, signer_ca_key, signer_ca_cert, key_path=signer_key_path, cert_path=signer_cert_path)
|
||||||
|
print("Copying certs for notary signer")
|
||||||
|
shutil.copy2(signer_cert_path, signer_cert_secret_path)
|
||||||
|
shutil.copy2(signer_key_path, signer_key_secret_path)
|
||||||
|
shutil.copy2(signer_ca_cert, signer_ca_cert_secret_path)
|
||||||
|
finally:
|
||||||
|
srl_tmp = os.path.join(os.getcwd(), ".srl")
|
||||||
|
if os.path.isfile(srl_tmp):
|
||||||
|
os.remove(srl_tmp)
|
||||||
|
if os.path.isdir(temp_cert_dir):
|
||||||
|
shutil.rmtree(temp_cert_dir, True)
|
||||||
|
|
||||||
|
# copy server_env to notary config
|
||||||
shutil.copy2(
|
shutil.copy2(
|
||||||
os.path.join(notary_template_dir, "server_env.jinja"),
|
os.path.join(notary_template_dir, "server_env.jinja"),
|
||||||
os.path.join(notary_config_dir, "server_env"))
|
os.path.join(notary_config_dir, "server_env"))
|
||||||
@ -60,10 +80,10 @@ def prepare_env_notary(customize_crt, nginx_config_dir):
|
|||||||
notary_server_nginx_config = os.path.join(nginx_config_dir, "notary.server.conf")
|
notary_server_nginx_config = os.path.join(nginx_config_dir, "notary.server.conf")
|
||||||
shutil.copy2(notary_nginx_upstream_template_conf, notary_server_nginx_config)
|
shutil.copy2(notary_nginx_upstream_template_conf, notary_server_nginx_config)
|
||||||
|
|
||||||
mark_file(os.path.join(notary_config_dir, "notary-signer.crt"))
|
mark_file(os.path.join(notary_secret_dir, "notary-signer.crt"))
|
||||||
mark_file(os.path.join(notary_config_dir, "notary-signer.key"))
|
mark_file(os.path.join(notary_secret_dir, "notary-signer.key"))
|
||||||
mark_file(os.path.join(notary_config_dir, "notary-signer-ca.crt"))
|
mark_file(os.path.join(notary_secret_dir, "notary-signer-ca.crt"))
|
||||||
mark_file(os.path.join(notary_config_dir, "root.crt"))
|
mark_file(os.path.join(notary_secret_dir, "root.crt"))
|
||||||
|
|
||||||
# print("Copying sql file for notary DB")
|
# print("Copying sql file for notary DB")
|
||||||
# if os.path.exists(os.path.join(notary_config_dir, "postgresql-initdb.d")):
|
# if os.path.exists(os.path.join(notary_config_dir, "postgresql-initdb.d")):
|
||||||
|
Loading…
Reference in New Issue
Block a user