diff --git a/make/docker-compose.chartmuseum.tpl b/make/docker-compose.chartmuseum.tpl index 497c4b47f..ed47bc769 100644 --- a/make/docker-compose.chartmuseum.tpl +++ b/make/docker-compose.chartmuseum.tpl @@ -20,6 +20,7 @@ services: - redis volumes: - /data/chart_storage:/chart_storage:z + - ./common/config/chartserver:/etc/chartserver:z logging: driver: "syslog" options: diff --git a/make/harbor.cfg b/make/harbor.cfg index 28be9db98..585b9d007 100644 --- a/make/harbor.cfg +++ b/make/harbor.cfg @@ -186,14 +186,16 @@ uaa_verify_cert = true uaa_ca_cert = /path/to/ca.pem -### Docker Registry setting ### +### Harbor Storage settings ### +#Please be aware that the following storage settings will be applied to both docker registry and helm chart repository. #registry_storage_provider can be: filesystem, s3, gcs, azure, etc. registry_storage_provider_name = filesystem #registry_storage_provider_config is a comma separated "key: value" pairs, e.g. "key1: value, key2: value2". +#To avoid duplicated configurations, both docker registry and chart repository follow the same storage configuration specifications of docker registry. #Refer to https://docs.docker.com/registry/configuration/#storage for all available configuration. registry_storage_provider_config = #registry_custom_ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore -#of registry's container. This is usually needed when the user hosts a internal storage with self signed certificate. +#of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate. registry_custom_ca_bundle = #If reload_config=true, all settings which present in harbor.cfg take effect after prepare and restart harbor, it overwrites exsiting settings. diff --git a/make/photon/chartserver/docker-entrypoint.sh b/make/photon/chartserver/docker-entrypoint.sh index 0d67c2a0f..13fe86656 100644 --- a/make/photon/chartserver/docker-entrypoint.sh +++ b/make/photon/chartserver/docker-entrypoint.sh @@ -7,6 +7,22 @@ if [ -d /chart_storage ]; then chown 10000:10000 -R /chart_storage fi -# Start the server process +#Config the custom ca bundle +if [ -f /etc/chartserver/custom-ca-bundle.crt ]; then + if grep -q "Photon" /etc/lsb-release; then + if [ ! -f /etc/pki/tls/certs/ca-bundle.crt.original ]; then + cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.original + fi + + echo "Appending custom ca bundle ..." + cp /etc/pki/tls/certs/ca-bundle.crt.original /etc/pki/tls/certs/ca-bundle.crt + cat /etc/chartserver/custom-ca-bundle.crt >> /etc/pki/tls/certs/ca-bundle.crt + echo "Done." + else + echo "Current OS is not Photon, skip appending ca bundle" + fi +fi + +#Start the server process sudo -E -H -u \#10000 sh -c "/chartserver/chartm" #Parameters are set by ENV set +e diff --git a/make/prepare b/make/prepare index 240f2d6a1..cfcf3c8e9 100755 --- a/make/prepare +++ b/make/prepare @@ -399,6 +399,14 @@ if storage_provider_name == "filesystem": # generate storage configuration section in yaml format storage_provider_conf_list = [storage_provider_name + ':'] for c in storage_provider_config.split(","): + kvs = c.split(": ") + if len(kvs) == 2: + if kvs[0].strip() == "keyfile": + srcKeyFile = kvs[1].strip() + if os.path.isfile(srcKeyFile): + shutil.copyfile(srcKeyFile, os.path.join(registry_config_dir, "gcs.key")) + storage_provider_conf_list.append("keyfile: %s" % "/etc/registry/gcs.key") + continue storage_provider_conf_list.append(c.strip()) storage_provider_info = ('\n' + ' ' * 4).join(storage_provider_conf_list) render(os.path.join(templates_dir, "registry", registry_config_file), @@ -612,6 +620,11 @@ if args.chart_mode: print ("Create config folder: %s" % chartm_config_dir) os.makedirs(chartm_config_dir) + # handle custom ca bundle + if len(registry_custom_ca_bundle_path) > 0 and os.path.isfile(registry_custom_ca_bundle_path): + shutil.copyfile(registry_custom_ca_bundle_path, os.path.join(chartm_config_dir, "custom-ca-bundle.crt")) + print("Copied custom ca bundle: %s" % os.path.join(chartm_config_dir, "custom-ca-bundle.crt")) + # process redis info cache_store = "redis" cache_redis_password = redis_password @@ -643,15 +656,25 @@ if args.chart_mode: storage_provider_config_options.append("STORAGE_AMAZON_PREFIX=%s" % storgae_provider_confg_map.get("rootdirectory", "")) storage_provider_config_options.append("STORAGE_AMAZON_REGION=%s" % storgae_provider_confg_map.get("region", "")) storage_provider_config_options.append("STORAGE_AMAZON_ENDPOINT=%s" % storgae_provider_confg_map.get("regionendpoint", "")) + storage_provider_config_options.append("AWS_ACCESS_KEY_ID=%s" % storgae_provider_confg_map.get("accesskey", "")) + storage_provider_config_options.append("AWS_SECRET_ACCESS_KEY=%s" % storgae_provider_confg_map.get("secretkey", "")) elif storage_provider_name == "gcs": # google cloud storage storage_driver = "google" storage_provider_config_options.append("STORAGE_GOOGLE_BUCKET=%s" % storgae_provider_confg_map.get("bucket", "")) storage_provider_config_options.append("STORAGE_GOOGLE_PREFIX=%s" % storgae_provider_confg_map.get("rootdirectory", "")) + + keyFileOnHost = storgae_provider_confg_map.get("keyfile", "") + if os.path.isfile(keyFileOnHost): + shutil.copyfile(keyFileOnHost, os.path.join(chartm_config_dir, "gcs.key")) + targetKeyFile = "/etc/chartserver/gcs.key" + storage_provider_config_options.append("GOOGLE_APPLICATION_CREDENTIALS=%s" % targetKeyFile) elif storage_provider_name == "azure": # azure storage storage_driver = "microsoft" storage_provider_config_options.append("STORAGE_MICROSOFT_CONTAINER=%s" % storgae_provider_confg_map.get("container", "")) + storage_provider_config_options.append("AZURE_STORAGE_ACCOUNT=%s" % storgae_provider_confg_map.get("accountname", "")) + storage_provider_config_options.append("AZURE_STORAGE_ACCESS_KEY=%s" % storgae_provider_confg_map.get("accountkey", "")) storage_provider_config_options.append("STORAGE_MICROSOFT_PREFIX=/azure/harbor/charts") elif storage_provider_name == "swift": # open stack swift @@ -659,12 +682,21 @@ if args.chart_mode: storage_provider_config_options.append("STORAGE_OPENSTACK_CONTAINER=%s" % storgae_provider_confg_map.get("container", "")) storage_provider_config_options.append("STORAGE_OPENSTACK_PREFIX=%s" % storgae_provider_confg_map.get("rootdirectory", "")) storage_provider_config_options.append("STORAGE_OPENSTACK_REGION=%s" % storgae_provider_confg_map.get("region", "")) + storage_provider_config_options.append("OS_AUTH_URL=%s" % storgae_provider_confg_map.get("authurl", "")) + storage_provider_config_options.append("OS_USERNAME=%s" % storgae_provider_confg_map.get("username", "")) + storage_provider_config_options.append("OS_PASSWORD=%s" % storgae_provider_confg_map.get("password", "")) + storage_provider_config_options.append("OS_PROJECT_ID=%s" % storgae_provider_confg_map.get("tenantid", "")) + storage_provider_config_options.append("OS_PROJECT_NAME=%s" % storgae_provider_confg_map.get("tenant", "")) + storage_provider_config_options.append("OS_DOMAIN_ID=%s" % storgae_provider_confg_map.get("domainid", "")) + storage_provider_config_options.append("OS_DOMAIN_NAME=%s" % storgae_provider_confg_map.get("domain", "")) elif storage_provider_name == "oss": # aliyun OSS storage_driver = "alibaba" storage_provider_config_options.append("STORAGE_ALIBABA_BUCKET=%s" % storgae_provider_confg_map.get("bucket", "")) storage_provider_config_options.append("STORAGE_ALIBABA_PREFIX=%s" % storgae_provider_confg_map.get("rootdirectory", "")) storage_provider_config_options.append("STORAGE_ALIBABA_ENDPOINT=%s" % storgae_provider_confg_map.get("endpoint", "")) + storage_provider_config_options.append("ALIBABA_CLOUD_ACCESS_KEY_ID=%s" % storgae_provider_confg_map.get("accesskeyid", "")) + storage_provider_config_options.append("ALIBABA_CLOUD_ACCESS_KEY_SECRET=%s" % storgae_provider_confg_map.get("accesskeysecret", "")) else: # use local file system storage_provider_config_options.append("STORAGE_LOCAL_ROOTDIR=/chart_storage")