Commit ccf8ad31 authored by BAIRE Anthony's avatar BAIRE Anthony
Browse files

allow using a custom CA certificate to connect to the registry

parent 13e204ea
Pipeline #134130 failed with stages
in 1 second
......@@ -41,6 +41,7 @@ import json
import logging
import os
import re
import ssl
import sys
import time
import weakref
......@@ -329,7 +330,7 @@ class AllgoAio:
return self.http_client.request(method, self.django_url+path, *k, **kw)
async def run(self, fork, pidfile):
async def run(self, fork, pidfile, cafile):
"""main task (run the server)"""
assert self._shutdown_requested is None, "run() must not be called multiple times"
......@@ -340,6 +341,20 @@ class AllgoAio:
# create the aiohttp client
self.http_client = aiohttp.ClientSession()
# load the CA certificate
try:
# ugly hack: store the ssl context directy in the connector (the aiohttp client v1.2
# does not support explicit ssl contextes)
assert aiohttp.__version__ == '1.2.0'
self.http_client.connector._ssl_context = ssl.create_default_context(cafile=cafile)
except OSError as e:
k = "unable to load CA file %r (%s)", cafile, e
if isinstance(e, FileNotFoundError) and cafile == "/vol/ro/certs/registry.crt":
log.warning(*k)
else:
log.error(*k)
sys.exit(1)
# create redis client
self.redis_client = await self.create_redis(reconnecting=True)
......
......@@ -63,6 +63,8 @@ parser.add_argument("--daemon", action="store_true",
help="daemonise after startup")
parser.add_argument("--pidfile", metavar="PATH", default="/run/aio.pid",
help="daemon pid file (default: /run/aio.pid)")
parser.add_argument("--cafile", metavar="PEMFILE", default="/vol/ro/certs/registry.crt",
help="path to the registry CA certificate (default: /vol/ro/certs/registry.crt)")
args = parser.parse_args()
......@@ -83,7 +85,7 @@ try:
loop.add_signal_handler(signal.SIGTERM, app.shutdown)
#loop.add_signal_handler(signal.SIGHUP, app.reload)
loop.run_until_complete(app.run(args.daemon, args.pidfile))
loop.run_until_complete(app.run(args.daemon, args.pidfile, args.cafile))
finally:
loop.remove_signal_handler(signal.SIGINT)
loop.remove_signal_handler(signal.SIGTERM)
......
......@@ -112,6 +112,8 @@ server
proxy_pass {ALLGO_REGISTRY_PRIVATE_URL}/v2/;
proxy_redirect off;
proxy_buffering off;
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /vol/ro/certs/registry.crt;
location ~ ^/v2/.*/manifests/[^/]*$ {
proxy_pass http://aio;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment