Merge pull request #8640 from ninjadq/fix_permission_of_nginx_cert

Fix permission of nginx cert

make/photon/prepare/g.py

@@ -12,11 +12,12 @@ REDIS_UID = 999
 REDIS_GID = 999
 
 ## Global variable
+host_root_dir = '/hostfs'
+
 base_dir = '/harbor_make'
 templates_dir = "/usr/src/app/templates"
 config_dir = '/config'
 data_dir = '/data'
-
 secret_dir = '/secret'
 secret_key_dir='/secret/keys'
 

make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja

@@ -276,12 +276,7 @@ services:
     volumes:
       - ./common/config/nginx:/etc/nginx:z
 {% if protocol == 'https' %}
-      - type: bind
+      - {{data_volume}}/secret/cert:/etc/cert:z
-        source: {{cert_key_path}}
-        target: /etc/cert/server.key
-      - type: bind
-        source: {{cert_path}}
-        target: /etc/cert/server.crt
 {% endif %}
     networks:
       - harbor

make/photon/prepare/utils/nginx.py

@@ -2,11 +2,13 @@ import os, shutil
 from fnmatch import fnmatch
 from pathlib import Path
 
-from g import config_dir, templates_dir, DEFAULT_GID, DEFAULT_UID
+from g import config_dir, templates_dir, host_root_dir, DEFAULT_GID, DEFAULT_UID, data_dir
 from utils.misc import prepare_dir, mark_file
 from utils.jinja import render_jinja
 from utils.cert import SSL_CERT_KEY_PATH, SSL_CERT_PATH
 
+host_ngx_real_cert_dir = Path(os.path.join(data_dir, 'secret', 'cert'))
+
 nginx_conf = os.path.join(config_dir, "nginx", "nginx.conf")
 nginx_confd_dir = os.path.join(config_dir, "nginx", "conf.d")
 nginx_https_conf_template = os.path.join(templates_dir, "nginx", "nginx.https.conf.jinja")
@@ -20,8 +22,38 @@ def prepare_nginx(config_dict):
     prepare_dir(nginx_confd_dir, uid=DEFAULT_UID, gid=DEFAULT_GID)
     render_nginx_template(config_dict)
 
+
+def prepare_nginx_certs(cert_key_path, cert_path):
+    """
+    Prepare the certs file with proper ownership
+    1. Remove nginx cert files in secret dir
+    2. Copy cert files on host filesystem to secret dir
+    3. Change the permission to 644 and ownership to 10000:10000
+    """
+    host_ngx_cert_key_path = Path(os.path.join(host_root_dir, cert_key_path.lstrip('/')))
+    host_ngx_cert_path = Path(os.path.join(host_root_dir, cert_path.lstrip('/')))
+
+    if host_ngx_real_cert_dir.exists() and host_ngx_real_cert_dir.is_dir():
+        shutil.rmtree(host_ngx_real_cert_dir)
+
+    os.makedirs(host_ngx_real_cert_dir, mode=0o755)
+    real_key_path = os.path.join(host_ngx_real_cert_dir, 'server.key')
+    real_crt_path = os.path.join(host_ngx_real_cert_dir, 'server.crt')
+    shutil.copy2(host_ngx_cert_key_path, real_key_path)
+    shutil.copy2(host_ngx_cert_path, real_crt_path)
+
+    os.chown(host_ngx_real_cert_dir, uid=DEFAULT_UID, gid=DEFAULT_GID)
+    mark_file(real_key_path, uid=DEFAULT_UID, gid=DEFAULT_GID)
+    mark_file(real_crt_path, uid=DEFAULT_UID, gid=DEFAULT_GID)
+
+
 def render_nginx_template(config_dict):
-    if config_dict['protocol'] == "https":
+    """
+    1. render nginx config file through protocol
+    2. copy additional configs to cert.d dir
+    """
+    if config_dict['protocol'] == 'https':
+        prepare_nginx_certs(config_dict['cert_key_path'], config_dict['cert_path'])
         render_jinja(
             nginx_https_conf_template,
             nginx_conf,
@@ -30,12 +62,7 @@ def render_nginx_template(config_dict):
             ssl_cert=SSL_CERT_PATH,
             ssl_cert_key=SSL_CERT_KEY_PATH)
         location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS
-        cert_dir = Path(os.path.join(config_dir, 'cert'))
+
-        ssl_key_path = Path(os.path.join(cert_dir, 'server.key'))
-        ssl_crt_path = Path(os.path.join(cert_dir, 'server.crt'))
-        cert_dir.mkdir(parents=True, exist_ok=True)
-        ssl_key_path.touch()
-        ssl_crt_path.touch()
     else:
         render_jinja(
             nginx_http_conf_template,
@@ -45,22 +72,23 @@ def render_nginx_template(config_dict):
         location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTP
     copy_nginx_location_configs_if_exist(nginx_template_ext_dir, nginx_confd_dir, location_file_pattern)
 
-def add_additional_location_config(src, dst):
-    """
-    These conf files is used for user that wanna add additional customized locations to harbor proxy
-    :params src: source of the file
-    :params dst: destination file path
-    """
-    if not os.path.isfile(src):
-        return
-    print("Copying nginx configuration file {src} to {dst}".format(
-        src=src, dst=dst))
-    shutil.copy2(src, dst)
-    mark_file(dst, mode=0o644)
 
 def copy_nginx_location_configs_if_exist(src_config_dir, dst_config_dir, filename_pattern):
     if not os.path.exists(src_config_dir):
         return
+
+    def add_additional_location_config(src, dst):
+        """
+        These conf files is used for user that wanna add additional customized locations to harbor proxy
+        :params src: source of the file
+        :params dst: destination file path
+        """
+        if not os.path.isfile(src):
+            return
+        print("Copying nginx configuration file {src} to {dst}".format(src=src, dst=dst))
+        shutil.copy2(src, dst)
+        mark_file(dst, mode=0o644)
+
     map(lambda filename: add_additional_location_config(
         os.path.join(src_config_dir, filename),
         os.path.join(dst_config_dir, filename)),

make/prepare

@@ -50,6 +50,7 @@ docker run --rm -v $input_dir:/input:z \
                     -v $harbor_prepare_path:/compose_location:z \
                     -v $config_dir:/config:z \
                     -v $secret_dir:/secret:z \
+                    -v /:/hostfs:z \
                     goharbor/prepare:dev $@
 
 echo "Clean up the input dir"