|
| 1 | +#!/bin/bash |
| 2 | + |
| 3 | +# Script automates the creation and deployment of SSL certificates used to create Harbor instance with configuring Docker. Script also configures cluster nodes to connect to the Harbor instance. Script is for lab purposes. |
| 4 | + |
| 5 | +# Script Requirements: |
| 6 | +# - the registry node must have the /etc/hosts file pre-configured IPs for: |
| 7 | +# - master |
| 8 | +# - etcd0 |
| 9 | +# - node0 |
| 10 | +# - node1 |
| 11 | +# - registry AND reg.local (pointing to the same IP address) |
| 12 | + |
| 13 | +reg_name=reg.local |
| 14 | +public=$(echo $PublicIP) |
| 15 | +private=$(echo $PrivateIP) |
| 16 | + |
| 17 | +generate_CA_cert() |
| 18 | +{ |
| 19 | + touch ~/.rnd |
| 20 | + openssl genrsa -out ca.key 4096 |
| 21 | + openssl req -x509 -new -nodes -sha512 -days 3650 \ |
| 22 | + -subj "/C=US/ST=CA/L=Campbell/O=Mirantis/OU=Training/CN=$reg_name" \ |
| 23 | + -key ca.key \ |
| 24 | + -out ca.crt |
| 25 | +} |
| 26 | + |
| 27 | +generate_server_cert() |
| 28 | +{ |
| 29 | + openssl genrsa -out $reg_name.key 4096 |
| 30 | + openssl req -sha512 -new \ |
| 31 | + -subj "/C=US/ST=CA/L=Campbell/O=Mirantis/OU=Training/CN=$reg_name" \ |
| 32 | + -key $reg_name.key \ |
| 33 | + -out $reg_name.csr |
| 34 | + |
| 35 | + cat > temp.txt <<- "EOF" |
| 36 | + authorityKeyIdentifier=keyid,issuer |
| 37 | + basicConstraints=CA:FALSE |
| 38 | + keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment |
| 39 | + extendedKeyUsage = serverAuth |
| 40 | + subjectAltName = @alt_names |
| 41 | +
|
| 42 | + [alt_names] |
| 43 | + IP.1=$PrivateIP |
| 44 | + IP.2=$PublicIP |
| 45 | + DNS.1=$reg_name |
| 46 | + DNS.2=reg |
| 47 | + DNS.3=registry |
| 48 | + EOF |
| 49 | + |
| 50 | + while read line |
| 51 | + do |
| 52 | + eval echo "$line" |
| 53 | + done < "./temp.txt" > v3.ext |
| 54 | + rm temp.txt |
| 55 | + |
| 56 | + # Creating server certificate |
| 57 | + openssl x509 -req -sha512 -days 3650 \ |
| 58 | + -extfile v3.ext \ |
| 59 | + -CA ca.crt -CAkey ca.key -CAcreateserial \ |
| 60 | + -in $reg_name.csr \ |
| 61 | + -out $reg_name.crt |
| 62 | + |
| 63 | + # Creating .cert for Docker requirement |
| 64 | + openssl x509 -inform PEM \ |
| 65 | + -in $reg_name.crt \ |
| 66 | + -out $reg_name.cert |
| 67 | +} |
| 68 | + |
| 69 | +implement_certs() |
| 70 | +{ |
| 71 | + # Copying cert and key into place for Harbor to read |
| 72 | + sudo mkdir -p /data/cert |
| 73 | + sudo cp $reg_name.crt /data/cert/ |
| 74 | + sudo cp $reg_name.key /data/cert/ |
| 75 | + |
| 76 | + # Implementing cert and key for Docker to read |
| 77 | + sudo mkdir -p /etc/docker/certs.d/$reg_name/ |
| 78 | + sudo cp $reg_name.{cert,key} /etc/docker/certs.d/$reg_name/ |
| 79 | + sudo cp ca.crt /etc/docker/certs.d/$reg_name/ |
| 80 | + |
| 81 | + # Copying CA certificate to verify registry trust of docker client |
| 82 | + sudo cp ca.crt /usr/local/share/ca-certificates/$reg_name.crt |
| 83 | + sudo update-ca-certificates |
| 84 | + |
| 85 | + printf '{\n "live-restore": true\n}\n' | \ |
| 86 | + sudo tee -a /etc/docker/daemon.json |
| 87 | + |
| 88 | + sudo systemctl restart docker |
| 89 | +} |
| 90 | + |
| 91 | +configure_cluster_nodes() |
| 92 | +{ |
| 93 | + # Configuring cluster nodes to use Harbor registry |
| 94 | + for node in master node0 node1 |
| 95 | + do |
| 96 | + scp $reg_name.{key,crt,cert} $node:~/ |
| 97 | + scp ca.crt $node:~/ |
| 98 | + ssh $node "sudo mkdir -p /etc/docker/certs.d/$reg_name/ && \ |
| 99 | + sudo cp $reg_name.{key,cert} /etc/docker/certs.d/$reg_name/ && \ |
| 100 | + sudo cp ca.crt /usr/local/share/ca-certificates/$reg_name.crt && \ |
| 101 | + sudo update-ca-certificates && \ |
| 102 | + sudo systemctl restart docker" |
| 103 | + done |
| 104 | +} |
| 105 | + |
| 106 | + |
| 107 | +generate_CA_cert |
| 108 | +generate_server_cert |
| 109 | +implement_certs |
| 110 | +configure_cluster_nodes |
0 commit comments