store secretkey in data volume and remove it from harbor.cfg

2024-11-26 04:05:40 +01:00 · 2016-10-18 18:06:47 +08:00 · 2016-10-18 18:06:47 +08:00 · 9889bdd525
commit 9889bdd525
parent 6b8d400c12
2 changed files with 22 additions and 11 deletions
--- a/Deploy/harbor.cfg
+++ b/Deploy/harbor.cfg
@ -60,11 +60,6 @@ use_compressed_js = on
 #Maximum number of job workers in job service  
 max_job_workers = 3 

-#Secret key for encryption/decryption of password of remote registry, its length has to be 16 chars
-#**NOTE** if this changes, previously encrypted password will not be decrypted!
-#Change this key before any production use.
-secret_key = secretkey1234567
-
 #The expiration time (in minute) of token created by token service, default is 30 minutes
 token_expiration = 30

@ -92,4 +87,3 @@ crt_email = example@example.com
 ssl_cert = /path/to/server.crt
 ssl_cert_key = /path/to/server.key
 #############
-#####
--- a/Deploy/prepare
+++ b/Deploy/prepare
@ -20,8 +20,6 @@ if sys.version_info[:3][0] == 3:
    import io as StringIO

 def validate(conf): 
-    if len(conf.get("configuration", "secret_key")) != 16:
-        raise Exception("Error: The length of secret key has to be 16 characters!")
    protocol = rcp.get("configuration", "ui_url_protocol")
    if protocol == "https":
        if not rcp.has_option("configuration", "ssl_cert"):
@ -35,9 +33,27 @@ def validate(conf):
        if not os.path.isfile(cert_key_path):
            raise Exception("Error: The path for certificate key: %s is invalid" % cert_key_path)

-
+def get_secret_key(path):
+    key_file = os.path.join(path, "secretkey")
+    if os.path.isfile(key_file):
+        with open(key_file, 'r') as f:
+            key = f.read()
+            print("loaded secret key")
+        if len(key) != 16:
+            raise Exception("secret key's length has to be 16 chars, current length: %d" % len(key))
+        return key
+    if not os.path.isdir(path):
+        os.makedirs(path, mode=0600)
+    key = ''.join(random.choice(string.ascii_letters+string.digits) for i in range(16))  
+    with open(key_file, 'w') as f:
+        f.write(key)
+        print("generated and saved secret key")
+    return key
+    
 parser = argparse.ArgumentParser()
-parser.add_argument('-conf', dest='cfgfile', default = 'harbor.cfg',type=str,help="the path of Harbor configuration file")
+parser.add_argument('-conf', dest='cfgfile', default='harbor.cfg',type=str,help="the path of Harbor configuration file")
+parser.add_argument('--data-volume', dest='data_volume', default='/data/',type=str,help="the path of Harbor data volume, which is set in template of docker-compose.")
+
 args = parser.parse_args()

 #Read configurations
@ -94,7 +110,8 @@ crt_email = rcp.get("configuration", "crt_email")
 max_job_workers = rcp.get("configuration", "max_job_workers")
 token_expiration = rcp.get("configuration", "token_expiration")
 verify_remote_cert = rcp.get("configuration", "verify_remote_cert")
-secret_key = rcp.get("configuration", "secret_key")
+#secret_key = rcp.get("configuration", "secret_key")
+secret_key = get_secret_key(args.data_volume)
 ########

 ui_secret = ''.join(random.choice(string.ascii_letters+string.digits) for i in range(16))