add install cert for registry contoller (#7633)

Mount the ca bunlder into registry controller, and add them into os
trust store that resolves the problem of garabe collection on ca
enabled registry.

Signed-off-by: wang yan <wangyan@vmware.com>

make/docker-compose.tpl

@@ -1,233 +0,0 @@
-version: '2'
-services:
-  log:
-    image: goharbor/harbor-log:__version__
-    container_name: harbor-log 
-    restart: always
-    dns_search: .
-    cap_drop:
-      - ALL
-    cap_add:
-      - CHOWN
-      - DAC_OVERRIDE
-      - SETGID
-      - SETUID
-    volumes:
-      - /var/log/harbor/:/var/log/docker/:z
-      - ./common/config/log/:/etc/logrotate.d/:z
-    ports:
-      - 127.0.0.1:1514:10514
-    networks:
-      - harbor
-  registry:
-    image: goharbor/registry-photon:__reg_version__
-    container_name: registry
-    restart: always
-    cap_drop:
-      - ALL
-    cap_add:
-      - CHOWN
-      - SETGID
-      - SETUID
-    volumes:
-      - /data/registry:/storage:z
-      - ./common/config/registry/:/etc/registry/:z
-      - ./common/config/custom-ca-bundle.crt:/harbor_cust_cert/custom-ca-bundle.crt:z
-    networks:
-      - harbor
-    dns_search: .
-    depends_on:
-      - log
-    logging:
-      driver: "syslog"
-      options:  
-        syslog-address: "tcp://127.0.0.1:1514"
-        tag: "registry"
-  registryctl:
-    image: goharbor/harbor-registryctl:__version__
-    container_name: registryctl
-    env_file:
-      - ./common/config/registryctl/env
-    restart: always
-    cap_drop:
-      - ALL
-    cap_add:
-      - CHOWN
-      - SETGID
-      - SETUID
-    volumes:
-      - /data/registry:/storage:z
-      - ./common/config/registry/:/etc/registry/:z
-      - ./common/config/registryctl/config.yml:/etc/registryctl/config.yml:z
-    networks:
-      - harbor
-    dns_search: .
-    depends_on:
-      - log
-    logging:
-      driver: "syslog"
-      options:  
-        syslog-address: "tcp://127.0.0.1:1514"
-        tag: "registryctl"
-  postgresql:
-    image: goharbor/harbor-db:__version__
-    container_name: harbor-db
-    restart: always
-    cap_drop:
-      - ALL
-    cap_add:
-      - CHOWN
-      - DAC_OVERRIDE
-      - SETGID
-      - SETUID
-    volumes:
-      - /data/database:/var/lib/postgresql/data:z
-    networks:
-      - harbor
-    dns_search: .
-    env_file:
-      - ./common/config/db/env
-    depends_on:
-      - log
-    logging:
-      driver: "syslog"
-      options:  
-        syslog-address: "tcp://127.0.0.1:1514"
-        tag: "postgresql"
-  core:
-    image: goharbor/harbor-core:__version__
-    container_name: harbor-core
-    env_file:
-      - ./common/config/core/env
-      - ./common/config/core/config_env
-    restart: always
-    cap_drop:
-      - ALL
-    cap_add:
-      - SETGID
-      - SETUID
-    volumes:
-      - ./common/config/core/app.conf:/etc/core/app.conf:z
-      - ./common/config/core/private_key.pem:/etc/core/private_key.pem:z
-      - ./common/config/core/certificates/:/etc/core/certificates/:z
-      - /data/secretkey:/etc/core/key:z
-      - /data/ca_download/:/etc/core/ca/:z
-      - /data/psc/:/etc/core/token/:z
-      - /data/:/data/:z
-    networks:
-      - harbor
-    dns_search: .
-    depends_on:
-      - log
-      - registry
-    logging:
-      driver: "syslog"
-      options:  
-        syslog-address: "tcp://127.0.0.1:1514"
-        tag: "core"
-  portal:
-    image: goharbor/harbor-portal:__version__
-    container_name: harbor-portal
-    restart: always
-    cap_drop:
-      - ALL
-    cap_add:
-      - CHOWN
-      - SETGID
-      - SETUID
-      - NET_BIND_SERVICE
-    networks:
-      - harbor
-    dns_search: .
-    depends_on:
-      - log
-      - core
-    logging:
-      driver: "syslog"
-      options:
-        syslog-address: "tcp://127.0.0.1:1514"
-        tag: "portal"
-
-  jobservice:
-    image: goharbor/harbor-jobservice:__version__
-    container_name: harbor-jobservice
-    env_file:
-      - ./common/config/jobservice/env
-    restart: always
-    cap_drop:
-      - ALL
-    cap_add:
-      - CHOWN
-      - SETGID
-      - SETUID
-    volumes:
-      - /data/job_logs:/var/log/jobs:z
-      - ./common/config/jobservice/config.yml:/etc/jobservice/config.yml:z
-    networks:
-      - harbor
-    dns_search: .
-    depends_on:
-      - redis
-      - core
-    logging:
-      driver: "syslog"
-      options:
-        syslog-address: "tcp://127.0.0.1:1514"
-        tag: "jobservice"
-  redis:
-    image: goharbor/redis-photon:__redis_version__
-    container_name: redis
-    restart: always
-    cap_drop:
-      - ALL
-    cap_add:
-      - CHOWN
-      - SETGID
-      - SETUID
-    volumes:
-      - /data/redis:/var/lib/redis
-    networks:
-      - harbor
-    dns_search: .
-    depends_on:
-      - log
-    logging:
-      driver: "syslog"
-      options:
-        syslog-address: "tcp://127.0.0.1:1514"
-        tag: "redis"
-  proxy:
-    image: goharbor/nginx-photon:__version__
-    container_name: nginx
-    restart: always
-    cap_drop:
-      - ALL
-    cap_add:
-      - CHOWN
-      - SETGID
-      - SETUID
-      - NET_BIND_SERVICE
-    volumes:
-      - ./common/config/nginx:/etc/nginx:z
-    networks:
-      - harbor
-    dns_search: .
-    ports:
-      - 80:80
-      - 443:443
-      - 4443:4443
-    depends_on:
-      - postgresql
-      - registry
-      - core
-      - portal
-      - log
-    logging:
-      driver: "syslog"
-      options:  
-        syslog-address: "tcp://127.0.0.1:1514"
-        tag: "proxy"
-networks:
-  harbor:
-    external: false
-

make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja

@@ -68,6 +68,9 @@ services:
       - {{data_volume}}/registry:/storage:z
       - ./common/config/registry/:/etc/registry/:z
       - ./common/config/registryctl/config.yml:/etc/registryctl/config.yml:z
+{%if registry_custom_ca_bundle_path %}
+      - {{registry_custom_ca_bundle_path}}:/harbor_cust_cert/custom-ca-bundle.crt:z
+{% endif %}
     networks:
       - harbor
     dns_search: .

make/photon/registry/Dockerfile

@@ -6,17 +6,15 @@ MAINTAINER wangyan@vmware.com
 RUN tdnf install sudo -y >> /dev/null\
     && tdnf clean all \
     && mkdir /harbor/ \
+    && mkdir -p /etc/registry \
     && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor  
 
-COPY  ./make/photon/common/install_cert.sh /harbor 
-
+COPY ./make/photon/common/install_cert.sh /harbor
 COPY ./make/photon/registry/entrypoint.sh /
-RUN chmod u+x /entrypoint.sh
-
-RUN mkdir -p /etc/registry
-
 COPY ./make/photon/registry/binary/registry /usr/bin
-RUN chmod u+x /usr/bin/registry
+
+RUN chmod u+x /entrypoint.sh \
+    && chmod u+x /usr/bin/registry
 
 HEALTHCHECK CMD curl 127.0.0.1:5000/
 

make/photon/registryctl/Dockerfile

@@ -2,11 +2,13 @@ FROM photon:2.0
 
 MAINTAINER wangyan@vmware.com
 
-RUN tdnf install sudo -y >> /dev/null\
+RUN tdnf install sudo -y >> /dev/null \
     && tdnf clean all \
     && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor \
-    && mkdir -p /etc/registry
+    && mkdir -p /etc/registry \
+    && mkdir /harbor/
 
+COPY ./make/photon/common/install_cert.sh /harbor
 COPY ./make/photon/registry/binary/registry /usr/bin
 COPY ./make/photon/registryctl/start.sh /harbor/
 COPY ./make/photon/registryctl/harbor_registryctl /harbor/

make/photon/registryctl/start.sh

@@ -17,4 +17,6 @@ if [ -d /storage ]; then
     fi
 fi
 
+/harbor/install_cert.sh
+
 sudo -E -u \#10000 "/harbor/harbor_registryctl" "-c" "/etc/registryctl/config.yml"