Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2025-01-03 14:37:44 +01:00
Code Issues Projects Releases Wiki Activity

generate cert for notary signer in prepare

Browse Source
This commit is contained in:
Tan Jiang 2017-03-23 21:00:53 +08:00
parent a588819ce0
commit 402a482bc6
4 changed files with 47 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
make/common/templates/notary/root-ca.crt → make/common/templates/notary/notary-signer-ca.crt
View File

2
make/common/templates/notary/server-config.json
View File

@ -6,7 +6,7 @@
"type": "remote", "type": "remote",
"hostname": "notarysigner", "hostname": "notarysigner",
"port": "7899", "port": "7899",
"tls_ca_file": "./root-ca.crt", "tls_ca_file": "./notary-signer-ca.crt",
"key_algorithm": "ecdsa" "key_algorithm": "ecdsa"
}, },
"logging": { "logging": {

2
make/docker-compose.notary.yml
View File

@ -60,6 +60,8 @@ services:
- TERM=dumb - TERM=dumb
- MYSQL_ALLOW_EMPTY_PASSWORD="true" - MYSQL_ALLOW_EMPTY_PASSWORD="true"
command: mysqld --innodb_file_per_table command: mysqld --innodb_file_per_table
depends_on:
- log
logging: logging:
driver: "syslog" driver: "syslog"
options: options:

68
make/prepare
View File

@ -262,29 +262,33 @@ FNULL = open(os.devnull, 'w')
from functools import wraps from functools import wraps
def stat_decorator(func): def stat_decorator(func):
@wraps(func) @wraps(func)
def check_wrapper(*args, **kwargs): def check_wrapper(*args, **kw):
stat = func(*args, **kwargs) stat = func(*args, **kw)
message = "Generated configuration file: %s" % kwargs['path'] \ message = "Generated certificate, key file: %s, cert file: %s" % (kw['key_path'], kw['cert_path']) \
if stat == 0 else "Fail to generate %s" % kwargs['path'] if stat == 0 else "Fail to generate key file: %s, cert file: %s" % (kw['key_path'], kw['cert_path'])
print(message) print(message)
if stat != 0: if stat != 0:
sys.exit(1) sys.exit(1)
return check_wrapper return check_wrapper
@stat_decorator @stat_decorator
def check_private_key_stat(*args, **kwargs): def create_root_cert(subj, key_path="./k.key", cert_path="./cert.crt"):
return subprocess.call(["openssl", "genrsa", "-out", kwargs['path'], "4096"],\ rc = subprocess.call(["openssl", "genrsa", "-out", key_path, "4096"])
stdout=FNULL, stderr=subprocess.STDOUT) if rc != 0:
return rc
return subprocess.call(["openssl", "req", "-new", "-x509", "-key", key_path,\
"-out", cert_path, "-days", "3650", "-subj", subj])
@stat_decorator @stat_decorator
def check_certificate_stat(*args, **kwargs): def create_cert(subj, ca_key, ca_cert, key_path="./k.key", cert_path="./cert.crt"):
dirty_subj = "/C={0}/ST={1}/L={2}/O={3}/OU={4}/CN={5}/emailAddress={6}"\ cert_dir = os.path.dirname(cert_path)
.format(crt_country, crt_state, crt_location, crt_organization,\ csr_path = os.path.join(cert_dir, "tmp.csr")
crt_organizationalunit, crt_commonname, crt_email) rc = subprocess.call(["openssl", "req", "-newkey", "rsa:4096", "-nodes","-sha256","-keyout", key_path,\
subj = validate_crt_subj(dirty_subj) "-out", csr_path, "-subj", subj])
return subprocess.call(["openssl", "req", "-new", "-x509", "-key",\ if rc != 0:
private_key_pem, "-out", root_crt, "-days", "3650", "-subj", subj], \ return rc
stdout=FNULL, stderr=subprocess.STDOUT) return subprocess.call(["openssl", "x509", "-req", "-days", "3650", "-in", csr_path, "-CA", \
ca_cert, "-CAkey", ca_key, "-CAcreateserial", "-out", cert_path])
def openssl_is_installed(stat): def openssl_is_installed(stat):
if stat == 0: if stat == 0:
@ -296,15 +300,14 @@ def openssl_is_installed(stat):
if customize_crt == 'on': if customize_crt == 'on':
shell_stat = subprocess.check_call(["which", "openssl"], stdout=FNULL, stderr=subprocess.STDOUT) shell_stat = subprocess.check_call(["which", "openssl"], stdout=FNULL, stderr=subprocess.STDOUT)
if openssl_is_installed(shell_stat): if openssl_is_installed(shell_stat):
empty_subj = "/C=/ST=/L=/O=/CN=/"
private_key_pem = os.path.join(config_dir, "ui", "private_key.pem") private_key_pem = os.path.join(config_dir, "ui", "private_key.pem")
root_crt = os.path.join(config_dir, "registry", "root.crt") root_crt = os.path.join(config_dir, "registry", "root.crt")
create_root_cert(empty_subj, key_path=private_key_pem, cert_path=root_crt)
check_private_key_stat(path=private_key_pem)
check_certificate_stat(path=root_crt)
else: else:
print("Generated configuration file: %s" % ui_config_dir + "private_key.pem") print("Copied configuration file: %s" % ui_config_dir + "private_key.pem")
shutil.copyfile(os.path.join(templates_dir, "ui", "private_key.pem"), os.path.join(ui_config_dir, "private_key.pem")) shutil.copyfile(os.path.join(templates_dir, "ui", "private_key.pem"), os.path.join(ui_config_dir, "private_key.pem"))
print("Generated configuration file: %s" % registry_config_dir + "root.crt") print("Copied configuration file: %s" % registry_config_dir + "root.crt")
shutil.copyfile(os.path.join(templates_dir, "registry", "root.crt"), os.path.join(registry_config_dir, "root.crt")) shutil.copyfile(os.path.join(templates_dir, "registry", "root.crt"), os.path.join(registry_config_dir, "root.crt"))
FNULL.close() FNULL.close()
@ -316,10 +319,27 @@ if args.notary_mode:
shutil.rmtree(os.path.join(notary_config_dir, "mysql-initdb.d")) shutil.rmtree(os.path.join(notary_config_dir, "mysql-initdb.d"))
shutil.copytree(os.path.join(notary_temp_dir, "mysql-initdb.d"), os.path.join(notary_config_dir, "mysql-initdb.d")) shutil.copytree(os.path.join(notary_temp_dir, "mysql-initdb.d"), os.path.join(notary_config_dir, "mysql-initdb.d"))
#TODO:generate certs? #TODO:generate certs?
print("Copying certs for notary signer") if customize_crt == 'on':
shutil.copy2(os.path.join(notary_temp_dir, "notary-signer.crt"), notary_config_dir) temp_cert_dir = os.path.join(base_dir, "cert_tmp")
shutil.copy2(os.path.join(notary_temp_dir, "notary-signer.key"), notary_config_dir) if not os.path.exists(temp_cert_dir):
shutil.copy2(os.path.join(notary_temp_dir, "root-ca.crt"), notary_config_dir) os.makedirs(temp_cert_dir)
ca_subj = "/C=US/ST=California/L=Palo Alto/O=Vmware/CN=Self Signed CA/"
cert_subj = "/C=US/ST=California/L=Palo Alto/O=Vmware/CN=notarysigner/"
signer_ca_cert = os.path.join(temp_cert_dir, "notary-signer-ca.crt")
signer_ca_key = os.path.join(temp_cert_dir, "notary-signer-ca.key")
signer_cert_path = os.path.join(temp_cert_dir, "notary-signer.crt")
signer_key_path = os.path.join(temp_cert_dir, "notary-signer.key")
create_root_cert(ca_subj, key_path=signer_ca_key, cert_path=signer_ca_cert)
create_cert(cert_subj, signer_ca_key, signer_ca_cert, key_path=signer_key_path, cert_path=signer_cert_path)
print("Copying certs for notary signer")
shutil.copy2(signer_cert_path, notary_config_dir)
shutil.copy2(signer_key_path, notary_config_dir)
shutil.copy2(signer_ca_cert, notary_config_dir)
else:
print("Copying certs for notary signer")
shutil.copy2(os.path.join(notary_temp_dir, "notary-signer.crt"), notary_config_dir)
shutil.copy2(os.path.join(notary_temp_dir, "notary-signer.key"), notary_config_dir)
shutil.copy2(os.path.join(notary_temp_dir, "notary-signer-ca.crt"), notary_config_dir)
shutil.copy2(os.path.join(registry_config_dir, "root.crt"), notary_config_dir) shutil.copy2(os.path.join(registry_config_dir, "root.crt"), notary_config_dir)
print("Copying notary signer configuration file") print("Copying notary signer configuration file")