Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2025-02-01 20:41:22 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #7612 from ninjadq/fix_tls_related_issues

Browse Source 
Fix tls related issues
This commit is contained in:
Qian Deng 2019-05-10 16:36:51 +08:00 committed by GitHub
commit eba20baba5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 78 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
make/harbor.yml
View File

@ -10,12 +10,12 @@ http:
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
#The path of cert and key files for nginx
certificate: /data/cert/server.crt
private_key: /data/cert/server.key
# https:
# # https port for harbor, default is 443
# port: 443
# # The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used

77
make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja
View File

@ -32,12 +32,18 @@ services:
volumes:
- {{data_volume}}/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
- {{data_volume}}/secret/registry/root.crt:/etc/registry/root.crt:z
- type: bind
source: {{data_volume}}/secret/registry/root.crt
target: /etc/registry/root.crt
{% if gcs_keyfile %}
- {{gcs_keyfile}}:/etc/registry/gcs.key
- type: bind
source: {{gcs_keyfile}}
target: /etc/registry/gcs.key
{% endif %}
{%if registry_custom_ca_bundle_path %}
- {{registry_custom_ca_bundle_path}}:/harbor_cust_cert/custom-ca-bundle.crt:z
- type: bind
source: {{registry_custom_ca_bundle_path}}
target: /harbor_cust_cert/custom-ca-bundle.crt
{% endif %}
networks:
- harbor
@ -67,9 +73,13 @@ services:
volumes:
- {{data_volume}}/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
- ./common/config/registryctl/config.yml:/etc/registryctl/config.yml:z
- type: bind
source: ./common/config/registryctl/config.yml
target: /etc/registryctl/config.yml
{%if registry_custom_ca_bundle_path %}
- {{registry_custom_ca_bundle_path}}:/harbor_cust_cert/custom-ca-bundle.crt:z
- type: bind
source: {{registry_custom_ca_bundle_path}}
target: /harbor_cust_cert/custom-ca-bundle.crt
{% endif %}
networks:
- harbor
@ -128,12 +138,19 @@ services:
- SETGID
- SETUID
volumes:
- ./common/config/core/app.conf:/etc/core/app.conf:z
- {{data_volume}}/secret/core/private_key.pem:/etc/core/private_key.pem:z
- {{data_volume}}/secret/keys/secretkey:/etc/core/key:z
- {{data_volume}}/ca_download/:/etc/core/ca/:z
- {{data_volume}}/psc/:/etc/core/token/:z
- {{data_volume}}/:/data/:z
- ./common/config/core/certificates/:/etc/core/certificates/:z
- type: bind
source: ./common/config/core/app.conf
target: /etc/core/app.conf
- type: bind
source: {{data_volume}}/secret/core/private_key.pem
target: /etc/core/private_key.pem
- type: bind
source: {{data_volume}}/secret/keys/secretkey
target: /etc/core/key
{% if uaa_ca_file %}
- type: bind
source: {{uaa_ca_file}}
@ -200,7 +217,9 @@ services:
- SETUID
volumes:
- {{data_volume}}/job_logs:/var/log/jobs:z
- ./common/config/jobservice/config.yml:/etc/jobservice/config.yml:z
- type: bind
source: ./common/config/jobservice/config.yml
target: /etc/jobservice/config.yml
networks:
- harbor
{% if with_clair %}
@ -256,8 +275,12 @@ services:
volumes:
- ./common/config/nginx:/etc/nginx:z
{% if protocol == 'https' %}
- {{cert_key_path}}:/etc/nginx/cert/server.key:z
- {{cert_path}}:/etc/nginx/cert/server.crt:z
- type: bind
source: {{cert_key_path}}
target: /etc/cert/server.key
- type: bind
source: {{cert_path}}
target: /etc/cert/server.crt
{% endif %}
networks:
- harbor
@ -295,8 +318,12 @@ services:
dns_search: .
volumes:
- ./common/config/notary:/etc/notary:z
- {{data_volume}}/secret/notary/notary-signer-ca.crt:/etc/notary/notary-signer-ca.crt:z
- {{data_volume}}/secret/registry/root.crt:/etc/notary/root.crt:z
- type: bind
source: {{data_volume}}/secret/notary/notary-signer-ca.crt
target: /etc/notary/notary-signer-ca.crt
- type: bind
source: {{data_volume}}/secret/registry/root.crt
target: /etc/notary/root.crt
env_file:
- ./common/config/notary/server_env
depends_on:
@ -319,8 +346,12 @@ services:
dns_search: .
volumes:
- ./common/config/notary:/etc/notary:z
- {{data_volume}}/secret/notary/notary-signer.crt:/etc/notary/notary-signer.crt:z
- {{data_volume}}/secret/notary/notary-signer.key:/etc/notary/notary-signer.key:z
- type: bind
source: {{data_volume}}/secret/notary/notary-signer.crt
target: /etc/notary/notary-signer.crt
- type: bind
source: {{data_volume}}/secret/notary/notary-signer.key
target: /etc/notary/notary-signer.key
env_file:
- ./common/config/notary/signer_env
depends_on:
@ -349,9 +380,13 @@ services:
depends_on:
- postgresql
volumes:
- ./common/config/clair/config.yaml:/etc/clair/config.yaml:z
- type: bind
source: ./common/config/clair/config.yaml
target: /etc/clair/config.yaml
{%if registry_custom_ca_bundle_path %}
- {{registry_custom_ca_bundle_path}}:/harbor_cust_cert/custom-ca-bundle.crt:z
- type: bind
source: {{registry_custom_ca_bundle_path}}
target: /harbor_cust_cert/custom-ca-bundle.crt
{% endif %}
logging:
driver: "syslog"
@ -382,10 +417,14 @@ services:
- {{data_volume}}/chart_storage:/chart_storage:z
- ./common/config/chartserver:/etc/chartserver:z
{% if gcs_keyfile %}
- {{gcs_keyfile}}:/etc/registry/gcs.key
- type: bind
source: {{gcs_keyfile}}
target: /etc/registry/gcs.key
{% endif %}
{%if registry_custom_ca_bundle_path %}
- {{registry_custom_ca_bundle_path}}:/harbor_cust_cert/custom-ca-bundle.crt:z
- type: bind
source: {{registry_custom_ca_bundle_path}}
target: /harbor_cust_cert/custom-ca-bundle.crt
{% endif %}
logging:
driver: "syslog"

8
make/photon/prepare/utils/cert.py
View File

@ -7,12 +7,8 @@ from functools import wraps
from .misc import mark_file
from .misc import generate_random_string
SSL_CERT_PATH = os.path.join("/etc/nginx/cert", "server.crt")
SSL_CERT_KEY_PATH = os.path.join("/etc/nginx/cert", "server.key")
secret_cert_dir = '/secret/nginx'
secret_cert = '/secret/nginx/server.crt'
secret_cert_key = '/secret/nginx/server.key'
SSL_CERT_PATH = os.path.join("/etc/cert", "server.crt")
SSL_CERT_KEY_PATH = os.path.join("/etc/cert", "server.key")
secret_keys_dir = '/secret/keys'

7
make/photon/prepare/utils/nginx.py
View File

@ -1,5 +1,6 @@
import os, shutil
from fnmatch import fnmatch
from pathlib import Path
from g import config_dir, templates_dir
from utils.misc import prepare_config_dir, mark_file
@ -25,6 +26,12 @@ def render_nginx_template(config_dict):
ssl_cert=SSL_CERT_PATH,
ssl_cert_key=SSL_CERT_KEY_PATH)
location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS
cert_dir = Path(os.path.join(config_dir, 'cert'))
ssl_key_path = Path(os.path.join(cert_dir, 'server.key'))
ssl_crt_path = Path(os.path.join(cert_dir, 'server.crt'))
cert_dir.mkdir(parents=True, exist_ok=True)
ssl_key_path.touch()
ssl_crt_path.touch()
else:
render_jinja(
nginx_http_conf_template,

2
make/prepare
View File

@ -45,7 +45,7 @@ secret_dir=${data_path}/secret
config_dir=$harbor_prepare_path/common/config
# Run prepare script
docker run -it --rm -v $input_dir:/input \
docker run --rm -v $input_dir:/input \
-v $harbor_prepare_path:/compose_location \
-v $config_dir:/config \
-v $secret_dir:/secret \

4
tests/hostcfg.sh
View File

@ -3,3 +3,7 @@ IP=`ip addr s eth0 |grep "inet "|awk '{print $2}' |awk -F "/" '{print $1}'`
#echo $IP
sudo sed "s/reg.mydomain.com/$IP/" -i make/harbor.yml
echo "https:" >> make/harbor.yml
echo " certificate: /data/cert/server.crt" >> make/harbor.yml
echo " private_key: /data/cert/server.key" >> make/harbor.yml