Merge pull request #6247 from stonezdj/trust_cert2

Install custom cert for clair, registry, chartmuseum
This commit is contained in:
stonezdj(Daojun Zhang) 2018-11-12 14:07:34 +08:00 committed by GitHub
commit ae007c2a49
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 35 additions and 37 deletions

View File

@ -22,6 +22,7 @@ services:
volumes:
- /data/chart_storage:/chart_storage:z
- ./common/config/chartserver:/etc/chartserver:z
- ./common/config/custom-ca-bundle.crt:/harbor_cust_cert/custom-ca-bundle.crt:z
logging:
driver: "syslog"
options:

View File

@ -28,6 +28,7 @@ services:
- postgresql
volumes:
- ./common/config/clair/config.yaml:/etc/clair/config.yaml:z
- ./common/config/custom-ca-bundle.crt:/harbor_cust_cert/custom-ca-bundle.crt:z
logging:
driver: "syslog"
options:

View File

@ -19,6 +19,7 @@ services:
volumes:
- /data/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
- ./common/config/custom-ca-bundle.crt:/harbor_cust_cert/custom-ca-bundle.crt:z
networks:
- harbor
dns_search: .

View File

@ -3,10 +3,12 @@ FROM photon:2.0
RUN tdnf install -y shadow sudo >>/dev/null\
&& tdnf clean all \
&& mkdir /chartserver/ \
&& mkdir /harbor/ \
&& groupadd -r -g 10000 chartuser \
&& useradd --no-log-init -m -r -g 10000 -u 10000 chartuser
COPY ./make/photon/chartserver/binary/chartm /chartserver/
COPY ./make/photon/chartserver/docker-entrypoint.sh /docker-entrypoint.sh
COPY ./make/photon/common/install_cert.sh /harbor
VOLUME ["/chart_storage"]
EXPOSE 9999

View File

@ -7,21 +7,7 @@ if [ -d /chart_storage ]; then
chown 10000:10000 -R /chart_storage
fi
#Config the custom ca bundle
if [ -f /etc/chartserver/custom-ca-bundle.crt ]; then
if grep -q "Photon" /etc/lsb-release; then
if [ ! -f /etc/pki/tls/certs/ca-bundle.crt.original ]; then
cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.original
fi
echo "Appending custom ca bundle ..."
cp /etc/pki/tls/certs/ca-bundle.crt.original /etc/pki/tls/certs/ca-bundle.crt
cat /etc/chartserver/custom-ca-bundle.crt >> /etc/pki/tls/certs/ca-bundle.crt
echo "Done."
else
echo "Current OS is not Photon, skip appending ca bundle"
fi
fi
/harbor/install_cert.sh
#Start the server process
sudo -E -H -u \#10000 sh -c "/chartserver/chartm" #Parameters are set by ENV

View File

@ -3,11 +3,13 @@ FROM photon:2.0
RUN tdnf install -y git shadow sudo rpm xz python-xml >>/dev/null\
&& tdnf clean all \
&& mkdir /clair/ \
&& mkdir /harbor \
&& groupadd -r -g 10000 clair \
&& useradd --no-log-init -m -r -g 10000 -u 10000 clair
COPY ./make/photon/clair/binary/clair /clair/
COPY ./make/photon/clair/docker-entrypoint.sh /docker-entrypoint.sh
COPY ./make/photon/clair/dumb-init /dumb-init
COPY ./make/photon/common/install_cert.sh /harbor
VOLUME /config

View File

@ -1,4 +1,6 @@
#!/bin/bash
set -e
/harbor/install_cert.sh
sudo -E -H -u \#10000 sh -c "/dumb-init -- /clair/clair -config /etc/clair/config.yaml $*"
set +e

View File

@ -0,0 +1,18 @@
#!/bin/sh
set -e
if [ ! -f /etc/pki/tls/certs/ca-bundle.crt.original ]; then
cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.original
fi
if [ -f /harbor_cust_cert/custom-ca-bundle.crt ]; then
if grep -q "Photon" /etc/lsb-release; then
echo "Appending custom ca bundle ..."
cp /etc/pki/tls/certs/ca-bundle.crt.original /etc/pki/tls/certs/ca-bundle.crt
cat /harbor_cust_cert/custom-ca-bundle.crt >> /etc/pki/tls/certs/ca-bundle.crt
echo "Done."
else
echo "Current OS is not Photon, skip appending ca bundle"
fi
fi

View File

@ -5,7 +5,10 @@ MAINTAINER wangyan@vmware.com
# The original script in the docker offical registry image.
RUN tdnf install sudo -y >> /dev/null\
&& tdnf clean all \
&& groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor
&& mkdir /harbor/ \
&& groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor
COPY ./make/photon/common/install_cert.sh /harbor
COPY ./make/photon/registry/entrypoint.sh /
RUN chmod u+x /entrypoint.sh

View File

@ -17,20 +17,7 @@ if [ -d /storage ]; then
fi
fi
if [ ! -f /etc/pki/tls/certs/ca-bundle.crt.original ]; then
cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.original
fi
if [ -f /etc/registry/custom-ca-bundle.crt ]; then
if grep -q "Photon" /etc/lsb-release; then
echo "Appending custom ca bundle ..."
cp /etc/pki/tls/certs/ca-bundle.crt.original /etc/pki/tls/certs/ca-bundle.crt
cat /etc/registry/custom-ca-bundle.crt >> /etc/pki/tls/certs/ca-bundle.crt
echo "Done."
else
echo "Current OS is not Photon, skip appending ca bundle"
fi
fi
/harbor/install_cert.sh
case "$1" in
*.yaml|*.yml) set -- registry serve "$@" ;;

View File

@ -532,8 +532,8 @@ else:
shutil.copyfile(os.path.join(templates_dir, "registry", "root.crt"), os.path.join(registry_config_dir, "root.crt"))
if len(registry_custom_ca_bundle_path) > 0 and os.path.isfile(registry_custom_ca_bundle_path):
shutil.copyfile(registry_custom_ca_bundle_path, os.path.join(registry_config_dir, "custom-ca-bundle.crt"))
print("Copied custom ca bundle: %s" % os.path.join(registry_config_dir, "custom-ca-bundle.crt"))
shutil.copyfile(registry_custom_ca_bundle_path, os.path.join(config_dir, "custom-ca-bundle.crt"))
print("Copied custom ca bundle: %s" % os.path.join(config_dir, "custom-ca-bundle.crt"))
if args.notary_mode:
notary_config_dir = prep_conf_dir(config_dir, "notary")
@ -638,11 +638,6 @@ if args.chart_mode:
if not os.path.isdir(chartm_config_dir):
print ("Create config folder: %s" % chartm_config_dir)
os.makedirs(chartm_config_dir)
# handle custom ca bundle
if len(registry_custom_ca_bundle_path) > 0 and os.path.isfile(registry_custom_ca_bundle_path):
shutil.copyfile(registry_custom_ca_bundle_path, os.path.join(chartm_config_dir, "custom-ca-bundle.crt"))
print("Copied custom ca bundle: %s" % os.path.join(chartm_config_dir, "custom-ca-bundle.crt"))
# process redis info
cache_store = "redis"