mirror of
https://github.com/goharbor/harbor.git
synced 2024-07-14 07:45:29 +02:00
195 lines
4.4 KiB
Bash
Executable File
195 lines
4.4 KiB
Bash
Executable File
#!/bin/bash
|
|
set -e
|
|
|
|
attrs=(
|
|
ldap_url
|
|
ldap_searchdn
|
|
ldap_search_pwd
|
|
ldap_basedn
|
|
ldap_uid
|
|
email_server
|
|
email_server_port
|
|
email_username
|
|
email_password
|
|
email_from
|
|
email_ssl
|
|
verify_remote_cert
|
|
self_registration
|
|
)
|
|
|
|
cert_dir=/data/cert
|
|
mkdir -p $cert_dir
|
|
|
|
cert=$cert_dir/server.crt
|
|
key=$cert_dir/server.key
|
|
csr=$cert_dir/server.csr
|
|
ca_cert=$cert_dir/ca.crt
|
|
ca_key=$cert_dir/ca.key
|
|
ext=$cert_dir/extfile.cnf
|
|
|
|
ca_download_dir=/data/ca_download
|
|
mkdir -p $ca_download_dir
|
|
rm -rf $ca_download_dir/*
|
|
|
|
hostname=""
|
|
ip_addr=""
|
|
|
|
base_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../" && pwd )"
|
|
source $base_dir/script/common.sh
|
|
|
|
flag=$base_dir/cert_gen_type
|
|
|
|
#The location of harbor.cfg
|
|
cfg=$base_dir/harbor/harbor.cfg
|
|
|
|
#Format cert file
|
|
function formatCert {
|
|
content=$1
|
|
file=$2
|
|
echo $content | sed -r "s/ /\n/g" | sed -r "/-+$/d" | sed -r "s/^(-+).*/& CERTIFICATE\1/g" > $file
|
|
}
|
|
|
|
#Format key file
|
|
function formatKey {
|
|
content=$1
|
|
file=$2
|
|
echo $content | sed -r "s/ /\n/g" | sed -r "/^PRIVATE$/d"| sed -r "/-+$/d" | sed -r "s/^(-+).*/& PRIVATE KEY\1/g" > $file
|
|
}
|
|
|
|
function genCert {
|
|
if [ ! -e $ca_cert ] || [ ! -e $ca_key ]
|
|
then
|
|
openssl req -newkey rsa:4096 -nodes -sha256 -keyout $ca_key \
|
|
-x509 -days 365 -out $ca_cert -subj \
|
|
"/C=US/ST=California/L=Palo Alto/O=VMware, Inc./OU=Harbor/CN=Self-signed by VMware, Inc."
|
|
fi
|
|
openssl req -newkey rsa:4096 -nodes -sha256 -keyout $key \
|
|
-out $csr -subj \
|
|
"/C=US/ST=California/L=Palo Alto/O=VMware/OU=Harbor/CN=$hostname"
|
|
|
|
echo "Add subjectAltName = IP: $ip_addr to certificate"
|
|
echo subjectAltName = IP:$ip_addr > $ext
|
|
openssl x509 -req -days 365 -in $csr -CA $ca_cert -CAkey $ca_key -CAcreateserial -extfile $ext -out $cert
|
|
|
|
echo "self-signed" > $flag
|
|
echo "Copy CA certificate to $ca_download_dir"
|
|
cp $ca_cert $ca_download_dir/
|
|
}
|
|
|
|
function secure {
|
|
echo "Read attribute using ovfenv: [ ssl_cert ]"
|
|
ssl_cert=$(ovfenv -k ssl_cert)
|
|
echo "Read attribute using ovfenv: [ ssl_cert_key ]"
|
|
ssl_cert_key=$(ovfenv -k ssl_cert_key)
|
|
if [ -n "$ssl_cert" ] && [ -n "$ssl_cert_key" ]
|
|
then
|
|
echo "ssl_cert and ssl_cert_key are both set, using customized certificate"
|
|
formatCert "$ssl_cert" $cert
|
|
formatKey "$ssl_cert_key" $key
|
|
echo "customized" > $flag
|
|
return
|
|
fi
|
|
|
|
if [ ! -e $ca_cert ] || [ ! -e $cert ] || [ ! -e $key ]
|
|
then
|
|
echo "CA, Certificate or key file does not exist, will generate a self-signed certificate"
|
|
genCert
|
|
return
|
|
fi
|
|
|
|
if [ ! -e $flag ]
|
|
then
|
|
echo "The file which records the way generating certificate does not exist, will generate a new self-signed certificate"
|
|
genCert
|
|
return
|
|
fi
|
|
|
|
if [ ! $(cat $flag) = "self-signed" ]
|
|
then
|
|
echo "The way generating certificate changed, will generate a new self-signed certificate"
|
|
genCert
|
|
return
|
|
fi
|
|
|
|
cn=$(openssl x509 -noout -subject -in $cert | sed -n '/^subject/s/^.*CN=//p') || true
|
|
if [ "$hostname" != "$cn" ]
|
|
then
|
|
echo "Common name changed: $cn -> $hostname , will generate a new self-signed certificate"
|
|
genCert
|
|
return
|
|
fi
|
|
|
|
ip_in_cert=$(openssl x509 -noout -text -in $cert | sed -n '/IP Address:/s/.*IP Address://p') || true
|
|
if [ "$ip_addr" != "$ip_in_cert" ]
|
|
then
|
|
echo "IP changed: $ip_in_cert -> $ip_addr , will generate a new self-signed certificate"
|
|
genCert
|
|
return
|
|
fi
|
|
|
|
echo "Use the existing CA, certificate and key file"
|
|
echo "Copy CA certificate to $ca_download_dir"
|
|
cp $ca_cert $ca_download_dir/
|
|
}
|
|
|
|
function detectHostname {
|
|
hostname=$(hostname --fqdn) || true
|
|
if [ -n $hostname ]
|
|
then
|
|
if [ "$hostname" = "localhost.localdom" ]
|
|
then
|
|
hostname=""
|
|
return
|
|
fi
|
|
echo "Get hostname from command 'hostname --fqdn': $hostname"
|
|
return
|
|
fi
|
|
}
|
|
|
|
#Modify hostname
|
|
detectHostname
|
|
ip_addr=$(ip addr show eth0|grep "inet "|tr -s ' '|cut -d ' ' -f 3|cut -d '/' -f 1)
|
|
if [ -z "$hostname" ]
|
|
then
|
|
echo "Hostname is null, set it to IP"
|
|
hostname=$ip_addr
|
|
fi
|
|
|
|
if [ -n "$hostname" ]
|
|
then
|
|
echo "Hostname: $hostname"
|
|
configureHarborCfg "hostname" "$hostname"
|
|
else
|
|
echo "Failed to get the hostname"
|
|
exit 1
|
|
fi
|
|
|
|
#Handle http/https
|
|
echo "Read attribute using ovfenv: [ protocol ]"
|
|
protocol=$(ovfenv -k protocol)
|
|
if [ -z $protocol ]
|
|
then
|
|
protocol=https
|
|
fi
|
|
|
|
echo "Protocol: $protocol"
|
|
configureHarborCfg ui_url_protocol $protocol
|
|
|
|
if [ $protocol = "https" ]
|
|
then
|
|
secure
|
|
fi
|
|
|
|
for attr in "${attrs[@]}"
|
|
do
|
|
echo "Read attribute using ovfenv: [ $attr ]"
|
|
value=$(ovfenv -k $attr)
|
|
|
|
#if [ "$attr" = ldap_search_pwd ] \
|
|
# || [ "$attr" = email_password ]
|
|
#then
|
|
# bs=$(echo $value | base64)
|
|
# value={base64}$bs
|
|
#fi
|
|
configureHarborCfg "$attr" "$value"
|
|
done |