harbor/make/photon/prepare/scripts/gencert.sh

#! /bin/bash
set -e

if [ -z "$1" ]; then
    echo "No argument supplied set days to 365"
    DAYS=365
else
    echo "No argument supplied set days to $1"
    DAYS=$1
fi

CA_KEY="harbor_internal_ca.key"
CA_CRT="harbor_internal_ca.crt"

# CA key and certificate
if [[ ! -f $CA_KEY && ! -f $CA_CRT ]]; then
openssl req -x509 -nodes -days $DAYS -newkey rsa:4096 \
        -keyout $CA_KEY -out $CA_CRT \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware"
else
    echo "$CA_KEY and $CA_CRT exist, use them to generate certs"
fi

# generate proxy key and csr
openssl req -new -newkey rsa:4096 -nodes -sha256 \
        -keyout proxy.key \
        -out proxy.csr \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=proxy"

# Sign proxy
echo subjectAltName = DNS.1:proxy > extfile.cnf
openssl x509 -req -days $DAYS -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile extfile.cnf -out proxy.crt

# generate portal key and csr
openssl req -new -newkey rsa:4096 -nodes -sha256 \
        -keyout portal.key \
        -out portal.csr \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=portal"

# Sign portal
echo subjectAltName = DNS.1:portal > extfile.cnf
openssl x509 -req -days $DAYS -sha256 -in portal.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile extfile.cnf -out portal.crt

# generate core key and csr
openssl req -new \
        -newkey rsa:4096 -nodes -sha256 -keyout core.key \
        -out core.csr \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=core"

# Sign core csr with CA certificate and key
echo subjectAltName = DNS.1:core > extfile.cnf
openssl x509 -req -days $DAYS -sha256 -in core.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile extfile.cnf -out core.crt


# job_service key
openssl req -new \
        -newkey rsa:4096 -nodes -sha256 -keyout job_service.key \
        -out job_service.csr \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=jobservice"

# sign job_service csr with CA certificate and key
echo subjectAltName = DNS.1:jobservice > extfile.cnf
openssl x509 -req -days $DAYS -sha256 -in job_service.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile extfile.cnf -out job_service.crt

# generate registry key
openssl req -new \
        -newkey rsa:4096 -nodes -sha256 -keyout registry.key \
        -out registry.csr \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registry"

# sign registry csr with CA certificate and key
echo subjectAltName = DNS.1:registry > extfile.cnf
openssl x509 -req -days $DAYS -sha256 -in registry.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile extfile.cnf -out registry.crt

# generate registryctl key
openssl req -new \
        -newkey rsa:4096 -nodes -sha256 -keyout registryctl.key \
        -out registryctl.csr \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registryctl"

# sign registryctl csr with CA certificate and key
echo subjectAltName = DNS.1:registryctl > extfile.cnf
openssl x509 -req -days $DAYS -sha256 -in registryctl.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile extfile.cnf -out registryctl.crt


# generate trivy_adapter key
openssl req -new \
        -newkey rsa:4096 -nodes -sha256 -keyout trivy_adapter.key \
        -out trivy_adapter.csr \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=trivy-adapter"

# sign trivy_adapter csr with CA certificate and key
echo subjectAltName = DNS.1:trivy-adapter > extfile.cnf
openssl x509 -req -days $DAYS -sha256 -in trivy_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile extfile.cnf -out trivy_adapter.crt


# generate harbor_db key
openssl req -new \
        -newkey rsa:4096 -nodes -sha256 -keyout harbor_db.key \
        -out harbor_db.csr \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=harbor_db"

# sign harbor_db csr with CA certificate and key
echo subjectAltName = DNS.1:harbor_db > extfile.cnf
openssl x509 -req -days $DAYS -sha256 -in harbor_db.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile extfile.cnf -out harbor_db.crt
Feat: auto install ca in registry Signed-off-by: DQ <dengq@vmware.com> 2020-02-14 21:11:52 +08:00			`#! /bin/bash`
Add tls for trivy Add trivy tls cert files Add tivey tls env and config enhance gencert Signed-off-by: DQ <dengq@vmware.com> 2020-03-17 17:30:25 +08:00			`set -e`

			`if [ -z "$1" ]; then`
			`echo "No argument supplied set days to 365"`
			`DAYS=365`
			`else`
			`echo "No argument supplied set days to $1"`
			`DAYS=$1`
			`fi`
Feat: auto install ca in registry Signed-off-by: DQ <dengq@vmware.com> 2020-02-14 21:11:52 +08:00
Enhance: User can generate cert by their own ca key pair User can put their ca key pair on internal cert dir and name them to `harbor_internal_ca.key` and `harbor_internal_ca.crt` we wil use them to generate other certs Signed-off-by: DQ <dengq@vmware.com> 2020-03-18 11:25:04 +08:00			`CA_KEY="harbor_internal_ca.key"`
			`CA_CRT="harbor_internal_ca.crt"`

Feat: auto install ca in registry Signed-off-by: DQ <dengq@vmware.com> 2020-02-14 21:11:52 +08:00			`# CA key and certificate`
Enhance: User can generate cert by their own ca key pair User can put their ca key pair on internal cert dir and name them to `harbor_internal_ca.key` and `harbor_internal_ca.crt` we wil use them to generate other certs Signed-off-by: DQ <dengq@vmware.com> 2020-03-18 11:25:04 +08:00			`if [[ ! -f $CA_KEY && ! -f $CA_CRT ]]; then`
Add tls for trivy Add trivy tls cert files Add tivey tls env and config enhance gencert Signed-off-by: DQ <dengq@vmware.com> 2020-03-17 17:30:25 +08:00			`openssl req -x509 -nodes -days $DAYS -newkey rsa:4096 \`
Enhance: User can generate cert by their own ca key pair User can put their ca key pair on internal cert dir and name them to `harbor_internal_ca.key` and `harbor_internal_ca.crt` we wil use them to generate other certs Signed-off-by: DQ <dengq@vmware.com> 2020-03-18 11:25:04 +08:00			`-keyout $CA_KEY -out $CA_CRT \`
Feat: auto install ca in registry Signed-off-by: DQ <dengq@vmware.com> 2020-02-14 21:11:52 +08:00			`-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware"`
Enhance: User can generate cert by their own ca key pair User can put their ca key pair on internal cert dir and name them to `harbor_internal_ca.key` and `harbor_internal_ca.crt` we wil use them to generate other certs Signed-off-by: DQ <dengq@vmware.com> 2020-03-18 11:25:04 +08:00			`else`
			`echo "$CA_KEY and $CA_CRT exist, use them to generate certs"`
			`fi`
Feat: auto install ca in registry Signed-off-by: DQ <dengq@vmware.com> 2020-02-14 21:11:52 +08:00
			`# generate proxy key and csr`
			`openssl req -new -newkey rsa:4096 -nodes -sha256 \`
			`-keyout proxy.key \`
			`-out proxy.csr \`
			`-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=proxy"`

			`# Sign proxy`
Add Scan for internal tls (#13810) Signed-off-by: DQ <dengq@vmware.com> 2020-12-21 15:23:11 +08:00			`echo subjectAltName = DNS.1:proxy > extfile.cnf`
			`openssl x509 -req -days $DAYS -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile extfile.cnf -out proxy.crt`
Feat: auto install ca in registry Signed-off-by: DQ <dengq@vmware.com> 2020-02-14 21:11:52 +08:00
Add internal tls configs for portal add related file, config, command to enabled https for portal Signed-off-by: DQ <dengq@vmware.com> 2020-04-28 13:17:24 +08:00			`# generate portal key and csr`
			`openssl req -new -newkey rsa:4096 -nodes -sha256 \`
			`-keyout portal.key \`
			`-out portal.csr \`
			`-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=portal"`

			`# Sign portal`
Add Scan for internal tls (#13810) Signed-off-by: DQ <dengq@vmware.com> 2020-12-21 15:23:11 +08:00			`echo subjectAltName = DNS.1:portal > extfile.cnf`
			`openssl x509 -req -days $DAYS -sha256 -in portal.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile extfile.cnf -out portal.crt`
Feat: auto install ca in registry Signed-off-by: DQ <dengq@vmware.com> 2020-02-14 21:11:52 +08:00
			`# generate core key and csr`
			`openssl req -new \`
			`-newkey rsa:4096 -nodes -sha256 -keyout core.key \`
			`-out core.csr \`
			`-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=core"`

			`# Sign core csr with CA certificate and key`
Add Scan for internal tls (#13810) Signed-off-by: DQ <dengq@vmware.com> 2020-12-21 15:23:11 +08:00			`echo subjectAltName = DNS.1:core > extfile.cnf`
			`openssl x509 -req -days $DAYS -sha256 -in core.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile extfile.cnf -out core.crt`
Feat: auto install ca in registry Signed-off-by: DQ <dengq@vmware.com> 2020-02-14 21:11:52 +08:00

			`# job_service key`
			`openssl req -new \`
			`-newkey rsa:4096 -nodes -sha256 -keyout job_service.key \`
			`-out job_service.csr \`
			`-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=jobservice"`

			`# sign job_service csr with CA certificate and key`
Add Scan for internal tls (#13810) Signed-off-by: DQ <dengq@vmware.com> 2020-12-21 15:23:11 +08:00			`echo subjectAltName = DNS.1:jobservice > extfile.cnf`
			`openssl x509 -req -days $DAYS -sha256 -in job_service.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile extfile.cnf -out job_service.crt`
Feat: auto install ca in registry Signed-off-by: DQ <dengq@vmware.com> 2020-02-14 21:11:52 +08:00
			`# generate registry key`
			`openssl req -new \`
			`-newkey rsa:4096 -nodes -sha256 -keyout registry.key \`
			`-out registry.csr \`
			`-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registry"`

			`# sign registry csr with CA certificate and key`
Add Scan for internal tls (#13810) Signed-off-by: DQ <dengq@vmware.com> 2020-12-21 15:23:11 +08:00			`echo subjectAltName = DNS.1:registry > extfile.cnf`
			`openssl x509 -req -days $DAYS -sha256 -in registry.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile extfile.cnf -out registry.crt`
Feat: auto install ca in registry Signed-off-by: DQ <dengq@vmware.com> 2020-02-14 21:11:52 +08:00
			`# generate registryctl key`
			`openssl req -new \`
			`-newkey rsa:4096 -nodes -sha256 -keyout registryctl.key \`
			`-out registryctl.csr \`
			`-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registryctl"`

			`# sign registryctl csr with CA certificate and key`
Add Scan for internal tls (#13810) Signed-off-by: DQ <dengq@vmware.com> 2020-12-21 15:23:11 +08:00			`echo subjectAltName = DNS.1:registryctl > extfile.cnf`
			`openssl x509 -req -days $DAYS -sha256 -in registryctl.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile extfile.cnf -out registryctl.crt`
Feat: auto install ca in registry Signed-off-by: DQ <dengq@vmware.com> 2020-02-14 21:11:52 +08:00

Add tls for trivy Add trivy tls cert files Add tivey tls env and config enhance gencert Signed-off-by: DQ <dengq@vmware.com> 2020-03-17 17:30:25 +08:00			`# generate trivy_adapter key`
			`openssl req -new \`
			`-newkey rsa:4096 -nodes -sha256 -keyout trivy_adapter.key \`
			`-out trivy_adapter.csr \`
Enhance: User can generate cert by their own ca key pair User can put their ca key pair on internal cert dir and name them to `harbor_internal_ca.key` and `harbor_internal_ca.crt` we wil use them to generate other certs Signed-off-by: DQ <dengq@vmware.com> 2020-03-18 11:25:04 +08:00			`-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=trivy-adapter"`
Add tls for trivy Add trivy tls cert files Add tivey tls env and config enhance gencert Signed-off-by: DQ <dengq@vmware.com> 2020-03-17 17:30:25 +08:00
			`# sign trivy_adapter csr with CA certificate and key`
Add Scan for internal tls (#13810) Signed-off-by: DQ <dengq@vmware.com> 2020-12-21 15:23:11 +08:00			`echo subjectAltName = DNS.1:trivy-adapter > extfile.cnf`
			`openssl x509 -req -days $DAYS -sha256 -in trivy_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile extfile.cnf -out trivy_adapter.crt`
Feat: auto install ca in registry Signed-off-by: DQ <dengq@vmware.com> 2020-02-14 21:11:52 +08:00

			`# generate harbor_db key`
			`openssl req -new \`
			`-newkey rsa:4096 -nodes -sha256 -keyout harbor_db.key \`
			`-out harbor_db.csr \`
			`-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=harbor_db"`

			`# sign harbor_db csr with CA certificate and key`
Add Scan for internal tls (#13810) Signed-off-by: DQ <dengq@vmware.com> 2020-12-21 15:23:11 +08:00			`echo subjectAltName = DNS.1:harbor_db > extfile.cnf`
			`openssl x509 -req -days $DAYS -sha256 -in harbor_db.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile extfile.cnf -out harbor_db.crt`