mirror of https://github.com/goharbor/harbor.git
1. copy ca to download directory if nedded 2.add IP to san 3.ignore harbor admin password and database password in subsequent boot
This commit is contained in:
Wenkai Yin
parent
64b3c7f261
commit
a02f8f5740
|
|
@ -73,4 +73,18 @@ function configSSH {
|
|||
fi
|
||||
|
||||
systemctl restart sshd
|
||||
}
|
||||
|
||||
#Configure attr in harbor.cfg
|
||||
function configureHarborCfg {
|
||||
cfg_key=$1
|
||||
cfg_value=$2
|
||||
|
||||
basedir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
||||
cfg_file=$basedir/../harbor/harbor.cfg
|
||||
|
||||
if [ -n "$cfg_key" ]
|
||||
then
|
||||
sed -i -r s%"#?$cfg_key\s*=\s*.*"%"$cfg_key = $cfg_value"% $cfg_file
|
||||
fi
|
||||
}
|
||||
|
|
@ -2,7 +2,6 @@
|
|||
set -e
|
||||
|
||||
attrs=(
|
||||
harbor_admin_password
|
||||
ldap_url
|
||||
ldap_searchdn
|
||||
ldap_search_pwd
|
||||
|
|
@ -14,23 +13,30 @@ attrs=(
|
|||
email_password
|
||||
email_from
|
||||
email_ssl
|
||||
db_password
|
||||
verify_remote_cert
|
||||
self_registration
|
||||
)
|
||||
|
||||
cert=/data/cert/server.crt
|
||||
key=/data/cert/server.key
|
||||
csr=/data/cert/server.csr
|
||||
ca_cert=/data/cert/ca.crt
|
||||
ca_key=/data/cert/ca.key
|
||||
ext=/data/cert/extfile.cnf
|
||||
cert_dir=/data/cert
|
||||
mkdir -p $cert_dir
|
||||
|
||||
cert=$cert_dir/server.crt
|
||||
key=$cert_dir/server.key
|
||||
csr=$cert_dir/server.csr
|
||||
ca_cert=$cert_dir/ca.crt
|
||||
ca_key=$cert_dir/ca.key
|
||||
ext=$cert_dir/extfile.cnf
|
||||
|
||||
ca_download_dir=/data/ca_download
|
||||
mkdir -p $ca_download_dir
|
||||
rm -rf $ca_download_dir/*
|
||||
|
||||
hostname=""
|
||||
ip_addr=""
|
||||
|
||||
base_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../" && pwd )"
|
||||
source $base_dir/script/common.sh
|
||||
|
||||
isFQDN=true
|
||||
flag=$base_dir/cert_gen_type
|
||||
|
||||
#The location of harbor.cfg
|
||||
|
|
@ -56,18 +62,15 @@ function genCert {
|
|||
fi
|
||||
openssl req -newkey rsa:4096 -nodes -sha256 -keyout $key \
|
||||
-out $csr -subj \
|
||||
"/C=US/ST=California/L=Palo Alto/O=VMware, Inc./OU=Harbor/CN=$hostname"
|
||||
if [ "$isFQDN" = false ]
|
||||
then
|
||||
echo "Add subjectAltName = IP: $hostname to certificate"
|
||||
echo subjectAltName = IP:$hostname > $ext
|
||||
#openssl x509 -req -days 365 -in $csr -signkey $key -extfile $ext -out $cert
|
||||
openssl x509 -req -days 365 -in $csr -CA $ca_cert -CAkey $ca_key -CAcreateserial -extfile $ext -out $cert
|
||||
else
|
||||
#openssl x509 -req -days 365 -in $csr -signkey $key -out $cert
|
||||
openssl x509 -req -days 365 -in $csr -CA $ca_cert -CAkey $ca_key -CAcreateserial -out $cert
|
||||
fi
|
||||
"/C=US/ST=California/L=Palo Alto/O=VMware/OU=Harbor/CN=$hostname"
|
||||
|
||||
echo "Add subjectAltName = IP: $ip_addr to certificate"
|
||||
echo subjectAltName = IP:$ip_addr > $ext
|
||||
openssl x509 -req -days 365 -in $csr -CA $ca_cert -CAkey $ca_key -CAcreateserial -extfile $ext -out $cert
|
||||
|
||||
echo "self-signed" > $flag
|
||||
echo "Copy CA certificate to $ca_download_dir"
|
||||
cp $ca_cert $ca_download_dir/
|
||||
}
|
||||
|
||||
function secure {
|
||||
|
|
@ -86,9 +89,9 @@ function secure {
|
|||
return
|
||||
fi
|
||||
|
||||
if [ ! -e $cert ] || [ ! -e $key ]
|
||||
if [ ! -e $ca_cert ] || [ ! -e $cert ] || [ ! -e $key ]
|
||||
then
|
||||
echo "Certificate or key file does not exist, will generate a self-signed certificate"
|
||||
echo "CA, Certificate or key file does not exist, will generate a self-signed certificate"
|
||||
genCert
|
||||
return
|
||||
fi
|
||||
|
|
@ -114,22 +117,32 @@ function secure {
|
|||
genCert
|
||||
return
|
||||
fi
|
||||
|
||||
echo "Use the existing certificate and key file"
|
||||
|
||||
ip_in_cert=$(openssl x509 -noout -text -in $cert | sed -n '/IP Address:/s/.*IP Address://p') || true
|
||||
if [ "$ip_addr" != "$ip_in_cert" ]
|
||||
then
|
||||
echo "IP changed: $ip_in_cert -> $ip_addr , will generate a new self-signed certificate"
|
||||
genCert
|
||||
return
|
||||
fi
|
||||
|
||||
echo "Use the existing CA, certificate and key file"
|
||||
echo "Copy CA certificate to $ca_download_dir"
|
||||
cp $ca_cert $ca_download_dir/
|
||||
}
|
||||
|
||||
#Modify hostname
|
||||
hostname=$(hostname --fqdn) || true
|
||||
ip_addr=$(ip addr show eth0|grep "inet "|tr -s ' '|cut -d ' ' -f 3|cut -d '/' -f 1)
|
||||
if [ -z "$hostname" ]
|
||||
then
|
||||
isFQDN=false
|
||||
hostname=$(ip addr show eth0|grep "inet "|tr -s ' '|cut -d ' ' -f 3|cut -d '/' -f 1)
|
||||
hostname=$ip_addr
|
||||
fi
|
||||
|
||||
if [ -n "$hostname" ]
|
||||
then
|
||||
echo "Read hostname/IP: [ hostname/IP - $hostname ]"
|
||||
sed -i -r s/"hostname\s*=\s*.*"/"hostname = $hostname"/ $cfg
|
||||
configureHarborCfg hostname $hostname
|
||||
else
|
||||
echo "Failed to get the hostname/IP"
|
||||
exit 1
|
||||
|
|
@ -144,7 +157,7 @@ then
|
|||
fi
|
||||
|
||||
echo "Protocol: $protocol"
|
||||
sed -i -r s%"#?ui_url_protocol\s*=\s*.*"%"ui_url_protocol = $protocol"% $cfg
|
||||
configureHarborCfg ui_url_protocol $protocol
|
||||
|
||||
if [ $protocol = "https" ]
|
||||
then
|
||||
|
|
@ -160,14 +173,12 @@ do
|
|||
if [ -n "$value" ] || [ "$attr" = "ldap_search_pwd" ] \
|
||||
|| [ "$attr" = "email_password" ]
|
||||
then
|
||||
if [ "$attr" = ldap_search_pwd ] \
|
||||
|| [ "$attr" = email_password ] \
|
||||
|| [ "$attr" = db_password ] \
|
||||
|| [ "$attr" = harbor_admin_password ]
|
||||
then
|
||||
bs=$(echo $value | base64)
|
||||
#value={base64}$bs
|
||||
fi
|
||||
sed -i -r s%"#?$attr\s*=\s*.*"%"$attr = $value"% $cfg
|
||||
#if [ "$attr" = ldap_search_pwd ] \
|
||||
# || [ "$attr" = email_password ]
|
||||
#then
|
||||
# bs=$(echo $value | base64)
|
||||
# value={base64}$bs
|
||||
#fi
|
||||
configureHarborCfg $attr $value
|
||||
fi
|
||||
done
|
||||
|
|
@ -37,17 +37,7 @@ load
|
|||
echo "Configuring Harbor..."
|
||||
chmod 600 $base_dir/../harbor/harbor.cfg
|
||||
|
||||
#Configure authentication mode
|
||||
echo "Read attribute using ovfenv: [ auth_mode ]"
|
||||
auth_mode=$(ovfenv -k auth_mode)
|
||||
if [ -n "$auth_mode" ]
|
||||
then
|
||||
sed -i -r s%"#?auth_mode\s*=\s*.*"%"auth_mode = $auth_mode"% $base_dir/../harbor/harbor.cfg
|
||||
fi
|
||||
|
||||
#Configure other attrs
|
||||
mkdir -p /data/cert/
|
||||
configure
|
||||
$base_dir/firstboot_config.sh
|
||||
|
||||
#Start Harbor
|
||||
echo "Starting Harbor..."
|
||||
|
|
|
|||
|
|
@ -0,0 +1,32 @@
|
|||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
base_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
||||
source $base_dir/common.sh
|
||||
|
||||
#Configure authentication mode
|
||||
echo "Read attribute using ovfenv: [ auth_mode ]"
|
||||
auth_mode=$(ovfenv -k auth_mode)
|
||||
if [ -n "$auth_mode" ]
|
||||
then
|
||||
configureHarborCfg auth_mode $auth_mode
|
||||
fi
|
||||
|
||||
#Configure password of Harbor administrator
|
||||
echo "Read attribute using ovfenv: [ harbor_admin_password ]"
|
||||
adm_pwd=$(ovfenv -k harbor_admin_password)
|
||||
if [ -n "$adm_pwd" ]
|
||||
then
|
||||
configureHarborCfg harbor_admin_password $adm_pwd
|
||||
fi
|
||||
|
||||
#Configure password of database
|
||||
echo "Read attribute using ovfenv: [ db_password ]"
|
||||
db_pwd=$(ovfenv -k db_password)
|
||||
if [ -n "$db_pwd" ]
|
||||
then
|
||||
configureHarborCfg db_password $db_pwd
|
||||
fi
|
||||
|
||||
#Configure other attrs
|
||||
configure
|
||||
Loading…
Reference in New Issue