mirror of
https://github.com/goharbor/harbor.git
synced 2024-06-29 00:05:09 +02:00
generate self-signed certificate
This commit is contained in:
Wenkai Yin
parent
6d901e2335
commit
ce56ff2fae
|
|
@ -85,6 +85,6 @@ crt_email = example@example.com
|
|||
|
||||
|
||||
#The path of cert and key files for nginx, they are applied only the protocol is set to https
|
||||
ssl_cert = /data/server.crt
|
||||
ssl_cert_key = /data/server.key
|
||||
ssl_cert = /data/cert/server.crt
|
||||
ssl_cert_key = /data/cert/server.key
|
||||
#############
|
||||
|
|
|
|||
|
|
@ -18,9 +18,21 @@ attrs=(
|
|||
verify_remote_cert
|
||||
self_registration
|
||||
)
|
||||
|
||||
cert=/data/cert/server.crt
|
||||
key=/data/cert/server.key
|
||||
csr=/data/cert/server.csr
|
||||
ca_cert=/data/cert/ca.crt
|
||||
ca_key=/data/cert/ca.key
|
||||
ext=/data/cert/extfile.cnf
|
||||
|
||||
hostname=""
|
||||
|
||||
base_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../" && pwd )"
|
||||
|
||||
isFQDN=true
|
||||
flag=$base_dir/cert_gen_type
|
||||
|
||||
#The location of harbor.cfg
|
||||
cfg=$base_dir/harbor/harbor.cfg
|
||||
|
||||
|
|
@ -35,10 +47,82 @@ function format {
|
|||
echo $tail >> $file
|
||||
}
|
||||
|
||||
function genCert {
|
||||
if [ ! -e $ca_cert ] || [ ! -e $ca_key ]
|
||||
then
|
||||
openssl req -newkey rsa:4096 -nodes -sha256 -keyout $ca_key \
|
||||
-x509 -days 365 -out $ca_cert -subj \
|
||||
"/C=US/ST=California/L=Palo Alto/O=VMware/OU=CA/CN=CA"
|
||||
fi
|
||||
openssl req -newkey rsa:4096 -nodes -sha256 -keyout $key \
|
||||
-out $csr -subj \
|
||||
"/C=US/ST=California/L=Palo Alto/O=VMware/OU=Harbor/CN=$hostname"
|
||||
if [ "$isFQDN" = false ]
|
||||
then
|
||||
echo "Add subjectAltName = IP: $hostname to certificate"
|
||||
echo subjectAltName = IP:$hostname > $ext
|
||||
#openssl x509 -req -days 365 -in $csr -signkey $key -extfile $ext -out $cert
|
||||
openssl x509 -req -days 365 -in $csr -CA $ca_cert -CAkey $ca_key -CAcreateserial -extfile $ext -out $cert
|
||||
else
|
||||
#openssl x509 -req -days 365 -in $csr -signkey $key -out $cert
|
||||
openssl x509 -req -days 365 -in $csr -CA $ca_cert -CAkey $ca_key -CAcreateserial -out $cert
|
||||
fi
|
||||
echo "self-signed" > $flag
|
||||
}
|
||||
|
||||
function secure {
|
||||
echo "Read attribute using ovfenv: [ ssl_cert ]"
|
||||
ssl_cert=$(ovfenv -k ssl_cert)
|
||||
echo "Read attribute using ovfenv: [ ssl_cert_key ]"
|
||||
ssl_cert_key=$(ovfenv -k ssl_cert_key)
|
||||
if [ -n "$ssl_cert" ] && [ -n "$ssl_cert_key" ]
|
||||
then
|
||||
echo "ssl_cert and ssl_cert_key are both set, using customized certificate"
|
||||
echo $ssl_cert > $cert
|
||||
format $cert
|
||||
echo $ssl_cert_key > $key
|
||||
format $key
|
||||
echo "customized" > $flag
|
||||
return
|
||||
fi
|
||||
|
||||
if [ ! -e $cert ] || [ ! -e $key ]
|
||||
then
|
||||
echo "Certificate or key file does not exist, will generate a self-signed certificate"
|
||||
genCert
|
||||
return
|
||||
fi
|
||||
|
||||
if [ ! -e $flag ]
|
||||
then
|
||||
echo "The file which records the way generating certificate does not exist, will generate a new self-signed certificate"
|
||||
genCert
|
||||
return
|
||||
fi
|
||||
|
||||
if [ ! $(cat $flag) = "self-signed" ]
|
||||
then
|
||||
echo "The way generating certificate changed, will generate a new self-signed certificate"
|
||||
genCert
|
||||
return
|
||||
fi
|
||||
|
||||
cn=$(openssl x509 -noout -subject -in $cert | sed -n '/^subject/s/^.*CN=//p') || true
|
||||
if [ "$hostname" != "$cn" ]
|
||||
then
|
||||
echo "Common name changed: $cn -> $hostname , will generate a new self-signed certificate"
|
||||
genCert
|
||||
return
|
||||
fi
|
||||
|
||||
echo "Use the existing certificate and key file"
|
||||
}
|
||||
|
||||
#Modify hostname
|
||||
hostname=$(hostname --fqdn) || true
|
||||
if [ -z "$hostname" ]
|
||||
then
|
||||
isFQDN=false
|
||||
hostname=$(ip addr show eth0|grep "inet "|tr -s ' '|cut -d ' ' -f 3|cut -d '/' -f 1)
|
||||
fi
|
||||
|
||||
|
|
@ -52,22 +136,19 @@ else
|
|||
fi
|
||||
|
||||
#Handle http/https
|
||||
protocol=http
|
||||
echo "Read attribute using ovfenv: [ ssl_cert ]"
|
||||
ssl_cert=$(ovfenv -k ssl_cert)
|
||||
echo "Read attribute using ovfenv: [ ssl_cert_key ]"
|
||||
ssl_cert_key=$(ovfenv -k ssl_cert_key)
|
||||
if [ -n "$ssl_cert" ] && [ -n "$ssl_cert_key" ]
|
||||
echo "Read attribute using ovfenv: [ protocol ]"
|
||||
protocol=$(ovfenv -k protocol)
|
||||
if [ -z $protocol ]
|
||||
then
|
||||
echo "ssl_cert and ssl_cert_key are set, using HTTPS protocol"
|
||||
protocol=https
|
||||
sed -i -r s%"#?ui_url_protocol\s*=\s*.*"%"ui_url_protocol = $protocol"% $cfg
|
||||
echo $ssl_cert > /data/server.crt
|
||||
format /data/server.crt
|
||||
echo $ssl_cert_key > /data/server.key
|
||||
format /data/server.key
|
||||
else
|
||||
echo "ssl_cert and ssl_cert_key are not set, using HTTP protocol"
|
||||
fi
|
||||
|
||||
echo "Protocol: $protocol"
|
||||
sed -i -r s%"#?ui_url_protocol\s*=\s*.*"%"ui_url_protocol = $protocol"% $cfg
|
||||
|
||||
if [ $protocol = "https" ]
|
||||
then
|
||||
secure
|
||||
fi
|
||||
|
||||
for attr in "${attrs[@]}"
|
||||
|
|
|
|||
|
|
@ -45,7 +45,8 @@ then
|
|||
sed -i -r s%"#?auth_mode\s*=\s*.*"%"auth_mode = $auth_mode"% $base_dir/../harbor/harbor.cfg
|
||||
fi
|
||||
|
||||
#Configure other attrs
|
||||
#Configure other attrs
|
||||
mkdir -p /data/cert/
|
||||
configure
|
||||
|
||||
#Start Harbor
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user