mirror of
https://github.com/goharbor/harbor
synced 2024-09-20 23:59:56 +00:00
Merge pull request #9550 from ninjadq/enable_https_by_default
Enable https by default
This commit is contained in:
commit
3f39b0ba4f
|
@ -10,12 +10,12 @@ http:
|
||||||
port: 80
|
port: 80
|
||||||
|
|
||||||
# https related config
|
# https related config
|
||||||
# https:
|
https:
|
||||||
# # https port for harbor, default is 443
|
# https port for harbor, default is 443
|
||||||
# port: 443
|
port: 443
|
||||||
# # The path of cert and key files for nginx
|
# The path of cert and key files for nginx
|
||||||
# certificate: /your/certificate/path
|
certificate: /your/certificate/path
|
||||||
# private_key: /your/private/key/path
|
private_key: /your/private/key/path
|
||||||
|
|
||||||
# Uncomment external_url if you want to enable external proxy
|
# Uncomment external_url if you want to enable external proxy
|
||||||
# And when it enabled the hostname will no longer used
|
# And when it enabled the hostname will no longer used
|
||||||
|
|
|
@ -29,8 +29,8 @@ while [ $# -gt 0 ]; do
|
||||||
with_notary=true;;
|
with_notary=true;;
|
||||||
--with-clair)
|
--with-clair)
|
||||||
with_clair=true;;
|
with_clair=true;;
|
||||||
--with-chartmuseum)
|
--with-chartmuseum)
|
||||||
with_chartmuseum=true;;
|
with_chartmuseum=true;;
|
||||||
*)
|
*)
|
||||||
note "$usage"
|
note "$usage"
|
||||||
exit 1;;
|
exit 1;;
|
||||||
|
@ -41,37 +41,27 @@ done
|
||||||
workdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
workdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
||||||
cd $workdir
|
cd $workdir
|
||||||
|
|
||||||
# The hostname in harbor.yml has not been modified
|
h2 "[Step $item]: checking if docker is installed ..."; let item+=1
|
||||||
if grep '^[[:blank:]]*hostname: reg.mydomain.com' &> /dev/null harbor.yml
|
|
||||||
then
|
|
||||||
warn "$usage"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
h2 "[Step $item]: checking installation environment ..."; let item+=1
|
|
||||||
check_docker
|
check_docker
|
||||||
check_dockercompose
|
|
||||||
|
|
||||||
if [ -f harbor*.tar.gz ]
|
h2 "[Step $item]: checking docker-compose is installed ..."; let item+=1
|
||||||
then
|
check_dockercompose
|
||||||
h2 "[Step $item]: loading Harbor images ..."; let item+=1
|
|
||||||
docker load -i ./harbor*.tar.gz
|
|
||||||
fi
|
|
||||||
echo ""
|
|
||||||
|
|
||||||
h2 "[Step $item]: preparing environment ..."; let item+=1
|
h2 "[Step $item]: preparing environment ..."; let item+=1
|
||||||
if [ -n "$host" ]
|
if [ -n "$host" ]
|
||||||
then
|
then
|
||||||
sed "s/^hostname: .*/hostname: $host/g" -i ./harbor.yml
|
sed "s/^hostname: .*/hostname: $host/g" -i ./harbor.yml
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
h2 "[Step $item]: preparing harbor configs ..."; let item+=1
|
||||||
prepare_para=
|
prepare_para=
|
||||||
if [ $with_notary ]
|
if [ $with_notary ]
|
||||||
then
|
then
|
||||||
prepare_para="${prepare_para} --with-notary"
|
prepare_para="${prepare_para} --with-notary"
|
||||||
fi
|
fi
|
||||||
if [ $with_clair ]
|
if [ $with_clair ]
|
||||||
then
|
then
|
||||||
prepare_para="${prepare_para} --with-clair"
|
prepare_para="${prepare_para} --with-clair"
|
||||||
fi
|
fi
|
||||||
if [ $with_chartmuseum ]
|
if [ $with_chartmuseum ]
|
||||||
then
|
then
|
||||||
|
@ -81,32 +71,21 @@ fi
|
||||||
./prepare $prepare_para
|
./prepare $prepare_para
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
|
if [ -f harbor*.tar.gz ]
|
||||||
|
then
|
||||||
|
h2 "[Step $item]: loading Harbor images ..."; let item+=1
|
||||||
|
docker load -i ./harbor*.tar.gz
|
||||||
|
fi
|
||||||
|
echo ""
|
||||||
|
|
||||||
if [ -n "$(docker-compose ps -q)" ]
|
if [ -n "$(docker-compose ps -q)" ]
|
||||||
then
|
then
|
||||||
note "stopping existing Harbor instance ..."
|
note "stopping existing Harbor instance ..."
|
||||||
docker-compose down -v
|
docker-compose down -v
|
||||||
fi
|
fi
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
h2 "[Step $item]: starting Harbor ..."
|
h2 "[Step $item]: starting Harbor ..."
|
||||||
docker-compose up -d
|
docker-compose up -d
|
||||||
|
|
||||||
protocol=http
|
success $"----Harbor has been installed and started successfully.----"
|
||||||
hostname=reg.mydomain.com
|
|
||||||
|
|
||||||
if [ -n "$(grep '^[^#]*https:' ./harbor.yml)" ]
|
|
||||||
then
|
|
||||||
protocol=https
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ $(grep '^[[:blank:]]*hostname:' ./harbor.yml) =~ hostname:[[:blank:]]*(.*) ]]
|
|
||||||
then
|
|
||||||
hostname=${BASH_REMATCH[1]}
|
|
||||||
fi
|
|
||||||
echo ""
|
|
||||||
|
|
||||||
success $"----Harbor has been installed and started successfully.----
|
|
||||||
|
|
||||||
Now you should be able to visit the admin portal at ${protocol}://${hostname}.
|
|
||||||
For more details, please visit https://github.com/goharbor/harbor .
|
|
||||||
"
|
|
||||||
|
|
|
@ -31,7 +31,10 @@ def main(conf, with_notary, with_clair, with_chartmuseum):
|
||||||
|
|
||||||
delfile(config_dir)
|
delfile(config_dir)
|
||||||
config_dict = parse_yaml_config(conf, with_notary=with_notary, with_clair=with_clair, with_chartmuseum=with_chartmuseum)
|
config_dict = parse_yaml_config(conf, with_notary=with_notary, with_clair=with_clair, with_chartmuseum=with_chartmuseum)
|
||||||
validate(config_dict, notary_mode=with_notary)
|
try:
|
||||||
|
validate(config_dict, notary_mode=with_notary)
|
||||||
|
except Exception as e:
|
||||||
|
print("Config validation Error: ", e)
|
||||||
|
|
||||||
prepare_log_configs(config_dict)
|
prepare_log_configs(config_dict)
|
||||||
prepare_nginx(config_dict)
|
prepare_nginx(config_dict)
|
||||||
|
|
|
@ -1,20 +1,31 @@
|
||||||
import yaml
|
import yaml
|
||||||
|
import logging
|
||||||
from g import versions_file_path
|
from g import versions_file_path
|
||||||
from .misc import generate_random_string
|
from .misc import generate_random_string
|
||||||
|
|
||||||
default_db_max_idle_conns = 2 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxIdleConns
|
default_db_max_idle_conns = 2 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxIdleConns
|
||||||
default_db_max_open_conns = 0 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxOpenConns
|
default_db_max_open_conns = 0 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxOpenConns
|
||||||
|
default_https_cert_path = '/your/certificate/path'
|
||||||
|
default_https_key_path = '/your/certificate/path'
|
||||||
|
def validate(conf: dict, **kwargs):
|
||||||
|
# hostname validate
|
||||||
|
if conf.get('hostname') == '127.0.0.1':
|
||||||
|
raise Exception("127.0.0.1 can not be the hostname")
|
||||||
|
if conf.get('hostname') == 'reg.mydomain.com':
|
||||||
|
raise Exception("Please specify hostname")
|
||||||
|
|
||||||
def validate(conf, **kwargs):
|
# protocol validate
|
||||||
protocol = conf.get("protocol")
|
protocol = conf.get("protocol")
|
||||||
if protocol != "https" and kwargs.get('notary_mode'):
|
if protocol != "https" and kwargs.get('notary_mode'):
|
||||||
raise Exception(
|
raise Exception(
|
||||||
"Error: the protocol must be https when Harbor is deployed with Notary")
|
"Error: the protocol must be https when Harbor is deployed with Notary")
|
||||||
if protocol == "https":
|
if protocol == "https":
|
||||||
if not conf.get("cert_path"):
|
if not conf.get("cert_path") or conf["cert_path"] == default_https_cert_path:
|
||||||
raise Exception("Error: The protocol is https but attribute ssl_cert is not set")
|
raise Exception("Error: The protocol is https but attribute ssl_cert is not set")
|
||||||
if not conf.get("cert_key_path"):
|
if not conf.get("cert_key_path") or conf['cert_key_path'] == default_https_key_path:
|
||||||
raise Exception("Error: The protocol is https but attribute ssl_cert_key is not set")
|
raise Exception("Error: The protocol is https but attribute ssl_cert_key is not set")
|
||||||
|
if protocol == "http":
|
||||||
|
logging.warning("WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https")
|
||||||
|
|
||||||
# log endpoint validate
|
# log endpoint validate
|
||||||
if ('log_ep_host' in conf) and not conf['log_ep_host']:
|
if ('log_ep_host' in conf) and not conf['log_ep_host']:
|
||||||
|
|
|
@ -4,6 +4,9 @@ IP=`ip addr s eth0 |grep "inet "|awk '{print $2}' |awk -F "/" '{print $1}'`
|
||||||
#echo $IP
|
#echo $IP
|
||||||
sudo sed "s/reg.mydomain.com/$IP/" -i make/harbor.yml
|
sudo sed "s/reg.mydomain.com/$IP/" -i make/harbor.yml
|
||||||
|
|
||||||
echo "https:" >> make/harbor.yml
|
# TODO: remove it when scanner adapter support internal access of harbor
|
||||||
echo " certificate: /data/cert/server.crt" >> make/harbor.yml
|
echo "storage_service:" >> make/harbor.yml
|
||||||
echo " private_key: /data/cert/server.key" >> make/harbor.yml
|
echo " ca_bundle: /data/cert/server.crt" >> make/harbor.yml
|
||||||
|
|
||||||
|
sed "s|/your/certificate/path|/data/cert/server.crt|g" -i make/harbor.yml
|
||||||
|
sed "s|/your/private/key/path|/data/cert/server.key|g" -i make/harbor.yml
|
||||||
|
|
Loading…
Reference in New Issue
Block a user