Merge pull request #6247 from stonezdj/trust_cert2

Install custom cert for clair, registry, chartmuseum
2024-11-26 04:05:40 +01:00 · 2018-11-12 14:07:34 +08:00 · 2018-11-12 14:07:34 +08:00 · ae007c2a49
commit ae007c2a49
parent 555c0cb181 0a72f3729a
11 changed files with 35 additions and 37 deletions
--- a/make/docker-compose.chartmuseum.tpl
+++ b/make/docker-compose.chartmuseum.tpl
@ -22,6 +22,7 @@ services:
    volumes:
      - /data/chart_storage:/chart_storage:z
      - ./common/config/chartserver:/etc/chartserver:z
+      - ./common/config/custom-ca-bundle.crt:/harbor_cust_cert/custom-ca-bundle.crt:z
    logging:
      driver: "syslog"
      options:  
--- a/make/docker-compose.clair.tpl
+++ b/make/docker-compose.clair.tpl
@ -28,6 +28,7 @@ services:
      - postgresql
    volumes:
      - ./common/config/clair/config.yaml:/etc/clair/config.yaml:z
+      - ./common/config/custom-ca-bundle.crt:/harbor_cust_cert/custom-ca-bundle.crt:z
    logging:
      driver: "syslog"
      options:  
--- a/make/docker-compose.tpl
+++ b/make/docker-compose.tpl
@ -19,6 +19,7 @@ services:
    volumes:
      - /data/registry:/storage:z
      - ./common/config/registry/:/etc/registry/:z
+      - ./common/config/custom-ca-bundle.crt:/harbor_cust_cert/custom-ca-bundle.crt:z
    networks:
      - harbor
    dns_search: .
--- a/make/photon/chartserver/Dockerfile
+++ b/make/photon/chartserver/Dockerfile
@ -3,10 +3,12 @@ FROM photon:2.0
 RUN tdnf install -y shadow sudo >>/dev/null\
    && tdnf clean all \
    && mkdir /chartserver/ \
+    && mkdir /harbor/ \
    && groupadd -r -g 10000 chartuser \
    && useradd --no-log-init -m -r -g 10000 -u 10000 chartuser
 COPY ./make/photon/chartserver/binary/chartm /chartserver/
 COPY ./make/photon/chartserver/docker-entrypoint.sh /docker-entrypoint.sh
+COPY ./make/photon/common/install_cert.sh /harbor

 VOLUME ["/chart_storage"]
 EXPOSE 9999
--- a/make/photon/chartserver/docker-entrypoint.sh
+++ b/make/photon/chartserver/docker-entrypoint.sh
@ -7,21 +7,7 @@ if [ -d /chart_storage ]; then
    chown 10000:10000 -R /chart_storage
 fi

-#Config the custom ca bundle
-if [ -f /etc/chartserver/custom-ca-bundle.crt ]; then
-    if grep -q "Photon" /etc/lsb-release; then
-        if [ ! -f /etc/pki/tls/certs/ca-bundle.crt.original ]; then
-            cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.original
-        fi
-
-        echo "Appending custom ca bundle ..."
-        cp /etc/pki/tls/certs/ca-bundle.crt.original /etc/pki/tls/certs/ca-bundle.crt
-        cat /etc/chartserver/custom-ca-bundle.crt >> /etc/pki/tls/certs/ca-bundle.crt
-        echo "Done."
-    else
-        echo "Current OS is not Photon, skip appending ca bundle"
-    fi
-fi
+/harbor/install_cert.sh

 #Start the server process
 sudo -E -H -u \#10000 sh -c "/chartserver/chartm" #Parameters are set by ENV
--- a/make/photon/clair/Dockerfile
+++ b/make/photon/clair/Dockerfile
@ -3,11 +3,13 @@ FROM photon:2.0
 RUN tdnf install -y git shadow sudo rpm xz python-xml >>/dev/null\
    && tdnf clean all \
    && mkdir /clair/ \
+    && mkdir /harbor \
    && groupadd -r -g 10000 clair \
    && useradd --no-log-init -m -r -g 10000 -u 10000 clair
 COPY ./make/photon/clair/binary/clair /clair/
 COPY ./make/photon/clair/docker-entrypoint.sh /docker-entrypoint.sh
 COPY ./make/photon/clair/dumb-init /dumb-init
+COPY ./make/photon/common/install_cert.sh /harbor 

 VOLUME /config

--- a/make/photon/clair/docker-entrypoint.sh
+++ b/make/photon/clair/docker-entrypoint.sh
@ -1,4 +1,6 @@
 #!/bin/bash
 set -e
+
+/harbor/install_cert.sh
 sudo -E -H -u \#10000 sh -c "/dumb-init -- /clair/clair -config /etc/clair/config.yaml $*"
 set +e
--- a/make/photon/common/install_cert.sh
+++ b/make/photon/common/install_cert.sh
@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -e
+
+if [ ! -f /etc/pki/tls/certs/ca-bundle.crt.original ]; then
+    cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.original
+fi
+
+if [ -f /harbor_cust_cert/custom-ca-bundle.crt ]; then
+    if grep -q "Photon" /etc/lsb-release; then
+        echo "Appending custom ca bundle ..."
+        cp /etc/pki/tls/certs/ca-bundle.crt.original /etc/pki/tls/certs/ca-bundle.crt
+        cat /harbor_cust_cert/custom-ca-bundle.crt >> /etc/pki/tls/certs/ca-bundle.crt
+        echo "Done."
+    else
+        echo "Current OS is not Photon, skip appending ca bundle"
+    fi
+fi
--- a/make/photon/registry/Dockerfile
+++ b/make/photon/registry/Dockerfile
@ -5,7 +5,10 @@ MAINTAINER wangyan@vmware.com
 # The original script in the docker offical registry image.
 RUN tdnf install sudo -y >> /dev/null\
    && tdnf clean all \
-    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor
+    && mkdir /harbor/ \
+    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor  
+
+COPY  ./make/photon/common/install_cert.sh /harbor 

 COPY ./make/photon/registry/entrypoint.sh /
 RUN chmod u+x /entrypoint.sh
--- a/make/photon/registry/entrypoint.sh
+++ b/make/photon/registry/entrypoint.sh
@ -17,20 +17,7 @@ if [ -d /storage ]; then
    fi
 fi

-if [ ! -f /etc/pki/tls/certs/ca-bundle.crt.original ]; then
-    cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.original
-fi
-
-if [ -f /etc/registry/custom-ca-bundle.crt ]; then
-    if grep -q "Photon" /etc/lsb-release; then
-        echo "Appending custom ca bundle ..."
-        cp /etc/pki/tls/certs/ca-bundle.crt.original /etc/pki/tls/certs/ca-bundle.crt
-        cat /etc/registry/custom-ca-bundle.crt >> /etc/pki/tls/certs/ca-bundle.crt
-        echo "Done."
-    else
-        echo "Current OS is not Photon, skip appending ca bundle"
-    fi
-fi
+/harbor/install_cert.sh

 case "$1" in
    *.yaml|*.yml) set -- registry serve "$@" ;;
--- a/make/prepare
+++ b/make/prepare
@ -532,8 +532,8 @@ else:
    shutil.copyfile(os.path.join(templates_dir, "registry", "root.crt"), os.path.join(registry_config_dir, "root.crt"))

 if len(registry_custom_ca_bundle_path) > 0 and os.path.isfile(registry_custom_ca_bundle_path):
-    shutil.copyfile(registry_custom_ca_bundle_path, os.path.join(registry_config_dir, "custom-ca-bundle.crt"))
-    print("Copied custom ca bundle: %s" % os.path.join(registry_config_dir, "custom-ca-bundle.crt"))
+    shutil.copyfile(registry_custom_ca_bundle_path, os.path.join(config_dir, "custom-ca-bundle.crt"))
+    print("Copied custom ca bundle: %s" % os.path.join(config_dir, "custom-ca-bundle.crt"))

 if args.notary_mode:
    notary_config_dir = prep_conf_dir(config_dir, "notary")
@ -638,11 +638,6 @@ if args.chart_mode:
    if not os.path.isdir(chartm_config_dir):
        print ("Create config folder: %s" % chartm_config_dir)
        os.makedirs(chartm_config_dir)
-
-    # handle custom ca bundle
-    if len(registry_custom_ca_bundle_path) > 0 and os.path.isfile(registry_custom_ca_bundle_path):
-        shutil.copyfile(registry_custom_ca_bundle_path, os.path.join(chartm_config_dir, "custom-ca-bundle.crt"))
-        print("Copied custom ca bundle: %s" % os.path.join(chartm_config_dir, "custom-ca-bundle.crt"))
    
    # process redis info
    cache_store = "redis"