mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-23 09:08:26 +01:00
Merge pull request #3903 from reasonerjt/uaa-ca-config
Enable configuring the CA Certificate for UAA
This commit is contained in:
commit
1a7f6f36e2
@ -76,7 +76,7 @@ services:
|
||||
volumes:
|
||||
- ./common/config/ui/app.conf:/etc/ui/app.conf:z
|
||||
- ./common/config/ui/private_key.pem:/etc/ui/private_key.pem:z
|
||||
- ./common/config/ui/certificates/:/etc/ui/certifates/
|
||||
- ./common/config/ui/certificates/:/etc/ui/certificates/
|
||||
- /data/secretkey:/etc/ui/key:z
|
||||
- /data/ca_download/:/etc/ui/ca/:z
|
||||
- /data/psc/:/etc/ui/token/:z
|
||||
|
@ -142,4 +142,5 @@ uaa_endpoint = uaa.mydomain.org
|
||||
uaa_clientid = id
|
||||
uaa_clientsecret = secret
|
||||
uaa_verify_cert = true
|
||||
uaa_ca_cert = /path/to/ca.pem
|
||||
#############
|
||||
|
12
make/prepare
12
make/prepare
@ -250,6 +250,7 @@ uaa_endpoint = rcp.get("configuration", "uaa_endpoint")
|
||||
uaa_clientid = rcp.get("configuration", "uaa_clientid")
|
||||
uaa_clientsecret = rcp.get("configuration", "uaa_clientsecret")
|
||||
uaa_verify_cert = rcp.get("configuration", "uaa_verify_cert")
|
||||
uaa_ca_cert = rcp.get("configuration", "uaa_ca_cert")
|
||||
|
||||
secret_key = get_secret_key(secretkey_path)
|
||||
log_rotate_count = rcp.get("configuration", "log_rotate_count")
|
||||
@ -280,6 +281,7 @@ log_config_dir = prep_conf_dir (config_dir, "log")
|
||||
adminserver_conf_env = os.path.join(config_dir, "adminserver", "env")
|
||||
ui_conf_env = os.path.join(config_dir, "ui", "env")
|
||||
ui_conf = os.path.join(config_dir, "ui", "app.conf")
|
||||
ui_cert_dir = os.path.join(config_dir, "ui", "certificates")
|
||||
jobservice_conf = os.path.join(config_dir, "jobservice", "app.conf")
|
||||
registry_conf = os.path.join(config_dir, "registry", "config.yml")
|
||||
db_conf_env = os.path.join(config_dir, "db", "env")
|
||||
@ -387,6 +389,16 @@ shutil.copyfile(os.path.join(templates_dir, "jobservice", "app.conf"), jobservic
|
||||
print("Generated configuration file: %s" % ui_conf)
|
||||
shutil.copyfile(os.path.join(templates_dir, "ui", "app.conf"), ui_conf)
|
||||
|
||||
if auth_mode == "uaa_auth":
|
||||
if os.path.isfile(uaa_ca_cert):
|
||||
if not os.path.isdir(ui_cert_dir):
|
||||
os.makedirs(ui_cert_dir, mode=0o600)
|
||||
ui_uaa_ca = os.path.join(ui_cert_dir, "uaa_ca.pem")
|
||||
print("Copying UAA CA cert to %s" % ui_uaa_ca)
|
||||
shutil.copyfile(uaa_ca_cert, ui_uaa_ca)
|
||||
else:
|
||||
print("Can not find UAA CA cert: %s, skip" % uaa_ca_cert)
|
||||
|
||||
|
||||
def validate_crt_subj(dirty_subj):
|
||||
subj_list = [item for item in dirty_subj.strip().split("/") \
|
||||
|
@ -22,6 +22,7 @@ import (
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
"github.com/vmware/harbor/src/common/utils/log"
|
||||
@ -179,16 +180,20 @@ func NewDefaultClient(cfg *ClientConfig) (Client, error) {
|
||||
InsecureSkipVerify: cfg.SkipTLSVerify,
|
||||
}
|
||||
if !cfg.SkipTLSVerify && len(cfg.CARootPath) > 0 {
|
||||
content, err := ioutil.ReadFile(cfg.CARootPath)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
pool := x509.NewCertPool()
|
||||
//Do not throw error if the certificate is malformed, so we can put a place holder.
|
||||
if ok := pool.AppendCertsFromPEM(content); !ok {
|
||||
log.Warningf("Failed to append certificate to cert pool, cert path: %s", cfg.CARootPath)
|
||||
if _, err := os.Stat(cfg.CARootPath); !os.IsNotExist(err) {
|
||||
content, err := ioutil.ReadFile(cfg.CARootPath)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
pool := x509.NewCertPool()
|
||||
//Do not throw error if the certificate is malformed, so we can put a place holder.
|
||||
if ok := pool.AppendCertsFromPEM(content); !ok {
|
||||
log.Warningf("Failed to append certificate to cert pool, cert path: %s", cfg.CARootPath)
|
||||
} else {
|
||||
tc.RootCAs = pool
|
||||
}
|
||||
} else {
|
||||
tc.RootCAs = pool
|
||||
log.Warningf("The root certificate file %s is not found, skip configuring root cert in UAA client.", cfg.CARootPath)
|
||||
}
|
||||
}
|
||||
hc := &http.Client{
|
||||
|
@ -98,7 +98,7 @@ func TestNewClientWithCACert(t *testing.T) {
|
||||
CARootPath: "/notexist",
|
||||
}
|
||||
_, err := NewDefaultClient(cfg)
|
||||
assert.NotNil(err)
|
||||
assert.Nil(err)
|
||||
//Skip if it's malformed.
|
||||
cfg.CARootPath = path.Join(currPath(), "test", "non-ca.pem")
|
||||
_, err = NewDefaultClient(cfg)
|
||||
|
@ -16,6 +16,7 @@ package uaa
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
@ -38,6 +39,7 @@ func CreateClient() (uaa.Client, error) {
|
||||
ClientSecret: UAASettings.ClientSecret,
|
||||
Endpoint: UAASettings.Endpoint,
|
||||
SkipTLSVerify: !UAASettings.VerifyCert,
|
||||
CARootPath: os.Getenv("UAA_CA_ROOT"),
|
||||
}
|
||||
return uaa.NewDefaultClient(cfg)
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user