Enhance: User can generate cert by their own ca key pair

User can put their ca key pair on internal cert dir and name them to `harbor_internal_ca.key` and `harbor_internal_ca.crt` we wil use them to generate other certs Signed-off-by: DQ <dengq@vmware.com>
2024-11-22 10:15:35 +01:00 · 2020-03-18 11:25:04 +08:00 · 2020-03-18 11:25:04 +08:00 · 6e8d44101f
commit 6e8d44101f
parent b93092e012
2 changed files with 13 additions and 8 deletions
--- a/make/photon/prepare/scripts/gencert.sh
+++ b/make/photon/prepare/scripts/gencert.sh
@ -9,12 +9,17 @@ else
    DAYS=$1
 fi

-# CA key and certificate
-openssl req -x509 -nodes -days $DAYS -newkey rsa:4096 \
-        -keyout "harbor_internal_ca.key" \
-        -out "harbor_internal_ca.crt" \
-        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware"
+CA_KEY="harbor_internal_ca.key"
+CA_CRT="harbor_internal_ca.crt"

+# CA key and certificate
+if [[ ! -f $CA_KEY && ! -f $CA_CRT ]]; then
+openssl req -x509 -nodes -days $DAYS -newkey rsa:4096 \
+        -keyout $CA_KEY -out $CA_CRT \
+        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware"
+else
+    echo "$CA_KEY and $CA_CRT exist, use them to generate certs"
+fi

 # generate proxy key and csr
 openssl req -new -newkey rsa:4096 -nodes -sha256 \
@ -69,7 +74,7 @@ openssl x509 -req -days $DAYS -sha256 -in registryctl.csr -CA harbor_internal_ca
 openssl req -new \
        -newkey rsa:4096 -nodes -sha256 -keyout clair_adapter.key \
        -out clair_adapter.csr \
-        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair_adapter"
+        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair-adapter"

 # sign clair_adapter csr with CA certificate and key
 openssl x509 -req -days $DAYS -sha256 -in clair_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair_adapter.crt
@ -89,7 +94,7 @@ openssl x509 -req -days $DAYS -sha256 -in clair.csr -CA harbor_internal_ca.crt -
 openssl req -new \
        -newkey rsa:4096 -nodes -sha256 -keyout trivy_adapter.key \
        -out trivy_adapter.csr \
-        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=trivy_adapter"
+        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=trivy-adapter"

 # sign trivy_adapter csr with CA certificate and key
 openssl x509 -req -days $DAYS -sha256 -in trivy_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out trivy_adapter.crt
--- a/make/photon/prepare/utils/configs.py
+++ b/make/photon/prepare/utils/configs.py
@ -359,7 +359,7 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit
        config_dict['token_service_url'] = 'https://core:8443/service/token'
        config_dict['jobservice_url'] = 'https://jobservice:8443'
        config_dict['clair_adapter_url'] = 'https://clair-adapter:8443'
-        config_dict['trivy_adapter_url'] = 'http://trivy-adapter:8443'
+        config_dict['trivy_adapter_url'] = 'https://trivy-adapter:8443'
        # config_dict['notary_url'] = 'http://notary-server:4443'
        config_dict['chart_repository_url'] = 'https://chartmuseum:9443'