1. copy ca to download directory if nedded 2.add IP to san 3.ignore harbor admin password and database password in subsequent boot

This commit is contained in:
Wenkai Yin 2016-11-17 18:49:15 +08:00
parent 64b3c7f261
commit a02f8f5740
4 changed files with 95 additions and 48 deletions

View File

@ -73,4 +73,18 @@ function configSSH {
fi
systemctl restart sshd
}
#Configure attr in harbor.cfg
function configureHarborCfg {
cfg_key=$1
cfg_value=$2
basedir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
cfg_file=$basedir/../harbor/harbor.cfg
if [ -n "$cfg_key" ]
then
sed -i -r s%"#?$cfg_key\s*=\s*.*"%"$cfg_key = $cfg_value"% $cfg_file
fi
}

View File

@ -2,7 +2,6 @@
set -e
attrs=(
harbor_admin_password
ldap_url
ldap_searchdn
ldap_search_pwd
@ -14,23 +13,30 @@ attrs=(
email_password
email_from
email_ssl
db_password
verify_remote_cert
self_registration
)
cert=/data/cert/server.crt
key=/data/cert/server.key
csr=/data/cert/server.csr
ca_cert=/data/cert/ca.crt
ca_key=/data/cert/ca.key
ext=/data/cert/extfile.cnf
cert_dir=/data/cert
mkdir -p $cert_dir
cert=$cert_dir/server.crt
key=$cert_dir/server.key
csr=$cert_dir/server.csr
ca_cert=$cert_dir/ca.crt
ca_key=$cert_dir/ca.key
ext=$cert_dir/extfile.cnf
ca_download_dir=/data/ca_download
mkdir -p $ca_download_dir
rm -rf $ca_download_dir/*
hostname=""
ip_addr=""
base_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../" && pwd )"
source $base_dir/script/common.sh
isFQDN=true
flag=$base_dir/cert_gen_type
#The location of harbor.cfg
@ -56,18 +62,15 @@ function genCert {
fi
openssl req -newkey rsa:4096 -nodes -sha256 -keyout $key \
-out $csr -subj \
"/C=US/ST=California/L=Palo Alto/O=VMware, Inc./OU=Harbor/CN=$hostname"
if [ "$isFQDN" = false ]
then
echo "Add subjectAltName = IP: $hostname to certificate"
echo subjectAltName = IP:$hostname > $ext
#openssl x509 -req -days 365 -in $csr -signkey $key -extfile $ext -out $cert
openssl x509 -req -days 365 -in $csr -CA $ca_cert -CAkey $ca_key -CAcreateserial -extfile $ext -out $cert
else
#openssl x509 -req -days 365 -in $csr -signkey $key -out $cert
openssl x509 -req -days 365 -in $csr -CA $ca_cert -CAkey $ca_key -CAcreateserial -out $cert
fi
"/C=US/ST=California/L=Palo Alto/O=VMware/OU=Harbor/CN=$hostname"
echo "Add subjectAltName = IP: $ip_addr to certificate"
echo subjectAltName = IP:$ip_addr > $ext
openssl x509 -req -days 365 -in $csr -CA $ca_cert -CAkey $ca_key -CAcreateserial -extfile $ext -out $cert
echo "self-signed" > $flag
echo "Copy CA certificate to $ca_download_dir"
cp $ca_cert $ca_download_dir/
}
function secure {
@ -86,9 +89,9 @@ function secure {
return
fi
if [ ! -e $cert ] || [ ! -e $key ]
if [ ! -e $ca_cert ] || [ ! -e $cert ] || [ ! -e $key ]
then
echo "Certificate or key file does not exist, will generate a self-signed certificate"
echo "CA, Certificate or key file does not exist, will generate a self-signed certificate"
genCert
return
fi
@ -114,22 +117,32 @@ function secure {
genCert
return
fi
echo "Use the existing certificate and key file"
ip_in_cert=$(openssl x509 -noout -text -in $cert | sed -n '/IP Address:/s/.*IP Address://p') || true
if [ "$ip_addr" != "$ip_in_cert" ]
then
echo "IP changed: $ip_in_cert -> $ip_addr , will generate a new self-signed certificate"
genCert
return
fi
echo "Use the existing CA, certificate and key file"
echo "Copy CA certificate to $ca_download_dir"
cp $ca_cert $ca_download_dir/
}
#Modify hostname
hostname=$(hostname --fqdn) || true
ip_addr=$(ip addr show eth0|grep "inet "|tr -s ' '|cut -d ' ' -f 3|cut -d '/' -f 1)
if [ -z "$hostname" ]
then
isFQDN=false
hostname=$(ip addr show eth0|grep "inet "|tr -s ' '|cut -d ' ' -f 3|cut -d '/' -f 1)
hostname=$ip_addr
fi
if [ -n "$hostname" ]
then
echo "Read hostname/IP: [ hostname/IP - $hostname ]"
sed -i -r s/"hostname\s*=\s*.*"/"hostname = $hostname"/ $cfg
configureHarborCfg hostname $hostname
else
echo "Failed to get the hostname/IP"
exit 1
@ -144,7 +157,7 @@ then
fi
echo "Protocol: $protocol"
sed -i -r s%"#?ui_url_protocol\s*=\s*.*"%"ui_url_protocol = $protocol"% $cfg
configureHarborCfg ui_url_protocol $protocol
if [ $protocol = "https" ]
then
@ -160,14 +173,12 @@ do
if [ -n "$value" ] || [ "$attr" = "ldap_search_pwd" ] \
|| [ "$attr" = "email_password" ]
then
if [ "$attr" = ldap_search_pwd ] \
|| [ "$attr" = email_password ] \
|| [ "$attr" = db_password ] \
|| [ "$attr" = harbor_admin_password ]
then
bs=$(echo $value | base64)
#value={base64}$bs
fi
sed -i -r s%"#?$attr\s*=\s*.*"%"$attr = $value"% $cfg
#if [ "$attr" = ldap_search_pwd ] \
# || [ "$attr" = email_password ]
#then
# bs=$(echo $value | base64)
# value={base64}$bs
#fi
configureHarborCfg $attr $value
fi
done

View File

@ -37,17 +37,7 @@ load
echo "Configuring Harbor..."
chmod 600 $base_dir/../harbor/harbor.cfg
#Configure authentication mode
echo "Read attribute using ovfenv: [ auth_mode ]"
auth_mode=$(ovfenv -k auth_mode)
if [ -n "$auth_mode" ]
then
sed -i -r s%"#?auth_mode\s*=\s*.*"%"auth_mode = $auth_mode"% $base_dir/../harbor/harbor.cfg
fi
#Configure other attrs
mkdir -p /data/cert/
configure
$base_dir/firstboot_config.sh
#Start Harbor
echo "Starting Harbor..."

View File

@ -0,0 +1,32 @@
#!/bin/bash
set -e
base_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
source $base_dir/common.sh
#Configure authentication mode
echo "Read attribute using ovfenv: [ auth_mode ]"
auth_mode=$(ovfenv -k auth_mode)
if [ -n "$auth_mode" ]
then
configureHarborCfg auth_mode $auth_mode
fi
#Configure password of Harbor administrator
echo "Read attribute using ovfenv: [ harbor_admin_password ]"
adm_pwd=$(ovfenv -k harbor_admin_password)
if [ -n "$adm_pwd" ]
then
configureHarborCfg harbor_admin_password $adm_pwd
fi
#Configure password of database
echo "Read attribute using ovfenv: [ db_password ]"
db_pwd=$(ovfenv -k db_password)
if [ -n "$db_pwd" ]
then
configureHarborCfg db_password $db_pwd
fi
#Configure other attrs
configure