Fix docker file with secure tls change

Signed-off-by: DQ <dengq@vmware.com>
2024-09-27 21:12:42 +02:00 · 2020-03-12 02:13:58 +08:00 · 2020-03-12 02:13:58 +08:00 · 03e11c63c7
commit 03e11c63c7
parent 115185894f
13 changed files with 54 additions and 45 deletions
--- a/make/photon/core/Dockerfile
+++ b/make/photon/core/Dockerfile
@ -2,12 +2,18 @@ ARG harbor_base_image_version
 FROM goharbor/harbor-core-base:${harbor_base_image_version}

 HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v2.0/ping || exit 1
+COPY ./make/photon/common/install_cert.sh /harbor/
+COPY ./make/photon/core/entrypoint.sh /harbor/
 COPY ./make/photon/core/harbor_core /harbor/
 COPY ./src/core/views /harbor/views
 COPY ./make/migrations /harbor/migrations

-RUN chmod u+x /harbor/harbor_core
+RUN chown -R harbor:harbor /etc/pki/tls/certs \
+    && chown harbor:harbor /harbor/entrypoint.sh && chmod u+x /harbor/entrypoint.sh \
+    && chown harbor:harbor /harbor/install_cert.sh && chmod u+x /harbor/install_cert.sh \
+    && chown harbor:harbor /harbor/harbor_core && chmod u+x /harbor/harbor_core
+
 WORKDIR /harbor/
 USER harbor
-ENTRYPOINT ["/harbor/harbor_core"]
+ENTRYPOINT ["/harbor/entrypoint.sh"]
 COPY make/photon/prepare/versions /harbor/
--- a/make/photon/core/Dockerfile.base
+++ b/make/photon/core/Dockerfile.base
@ -2,5 +2,5 @@ FROM photon:2.0

 RUN tdnf install sudo tzdata -y >> /dev/null \
    && tdnf clean all \
-    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor \
+    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor \
    && mkdir /harbor/
--- a/make/photon/core/entrypoint.sh
+++ b/make/photon/core/entrypoint.sh
@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+/harbor/install_cert.sh
+
+/harbor/harbor_core
--- a/make/photon/jobservice/Dockerfile
+++ b/make/photon/jobservice/Dockerfile
@ -1,9 +1,15 @@
 ARG harbor_base_image_version
 FROM goharbor/harbor-jobservice-base:${harbor_base_image_version}

+COPY ./make/photon/common/install_cert.sh /harbor/
+COPY ./make/photon/jobservice/entrypoint.sh /harbor/
 COPY ./make/photon/jobservice/harbor_jobservice /harbor/

-RUN chmod u+x /harbor/harbor_jobservice
+
+RUN chown -R harbor:harbor /etc/pki/tls/certs \
+    && chown harbor:harbor /harbor/entrypoint.sh && chmod u+x /harbor/entrypoint.sh \
+    && chown harbor:harbor /harbor/install_cert.sh && chmod u+x /harbor/install_cert.sh \
+    && chown harbor:harbor /harbor/harbor_jobservice && chmod u+x /harbor/harbor_jobservice

 WORKDIR /harbor/

@ -13,4 +19,4 @@ VOLUME ["/var/log/jobs/"]

 HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v1/stats || exit 1

-ENTRYPOINT ["/harbor/harbor_jobservice", "-c", "/etc/jobservice/config.yml"]
+ENTRYPOINT ["/harbor/entrypoint.sh"]
--- a/make/photon/jobservice/Dockerfile.base
+++ b/make/photon/jobservice/Dockerfile.base
@ -2,4 +2,4 @@ FROM photon:2.0

 RUN tdnf install sudo tzdata -y >> /dev/null \
    && tdnf clean all \
-    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor
+    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor
--- a/make/photon/jobservice/entrypoint.sh
+++ b/make/photon/jobservice/entrypoint.sh
@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+/harbor/install_cert.sh
+
+/harbor/harbor_jobservice -c /etc/jobservice/config.yml
--- a/make/photon/prepare/templates/core/env.jinja
+++ b/make/photon/prepare/templates/core/env.jinja
@ -57,5 +57,5 @@ NO_PROXY={{core_no_proxy}}
 INTERNAL_TLS_ENABLED=true
 INTERNAL_TLS_KEY_PATH=/etc/harbor/ssl/core.key
 INTERNAL_TLS_CERT_PATH=/etc/harbor/ssl/core.crt
-INTERNAL_TLS_TRUST_CA_PATH=/etc/harbor/ssl/harbor_internal_ca.crt
+INTERNAL_TLS_TRUST_CA_PATH=/harbor_cust_cert/harbor_internal_ca.crt
 {% endif %}
--- a/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja
+++ b/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja
@ -89,7 +89,7 @@ services:
 {%if internal_tls.enabled %}
      - type: bind
        source: {{internal_tls.harbor_internal_ca_crt_path}}
-        target: /etc/harbor/ssl/harbor_internal_ca.crt
+        target: /harbor_cust_cert/harbor_internal_ca.crt
      - type: bind
        source: {{internal_tls.registryctl_crt_path}}
        target: /etc/harbor/ssl/registryctl.crt
@ -121,17 +121,6 @@ services:
      - SETUID
    volumes:
      - {{data_volume}}/database:/var/lib/postgresql/data:z
-{%if internal_tls.enabled %}
-      - type: bind
-        source: {{internal_tls.harbor_internal_ca_crt_path}}
-        target: /etc/harbor/ssl/harbor_internal_ca.crt
-      - type: bind
-        source: {{internal_tls.harbor_db_crt_path}}
-        target: /etc/harbor/ssl/harbor_db.crt
-      - type: bind
-        source: {{internal_tls.harbor_db_key_path}}
-        target: /etc/harbor/ssl/harbor_db.key
-{% endif %}
    networks:
      harbor:
  {% if with_notary %}
@ -187,7 +176,7 @@ services:
 {%if internal_tls.enabled %}
      - type: bind
        source: {{internal_tls.harbor_internal_ca_crt_path}}
-        target: /etc/harbor/ssl/harbor_internal_ca.crt
+        target: /harbor_cust_cert/harbor_internal_ca.crt 
      - type: bind
        source: {{internal_tls.core_crt_path}}
        target: /etc/harbor/ssl/core.crt
@ -267,7 +256,7 @@ services:
 {%if internal_tls.enabled %}
      - type: bind
        source: {{internal_tls.harbor_internal_ca_crt_path}}
-        target: /etc/harbor/ssl/harbor_internal_ca.crt
+        target: /harbor_cust_cert/harbor_internal_ca.crt
      - type: bind
        source: {{internal_tls.job_service_crt_path}}
        target: /etc/harbor/ssl/job_service.crt
--- a/make/photon/prepare/templates/jobservice/env.jinja
+++ b/make/photon/prepare/templates/jobservice/env.jinja
@ -1,4 +1,5 @@
 CORE_SECRET={{core_secret}}
+REGISTRY_URL={{registry_url}}
 JOBSERVICE_SECRET={{jobservice_secret}}
 CORE_URL={{core_url}}
 REGISTRY_CONTROLLER_URL={{registry_controller_url}}
@ -6,7 +7,7 @@ JOBSERVICE_WEBHOOK_JOB_MAX_RETRY={{notification_webhook_job_max_retry}}

 {%if internal_tls.enabled %}
 INTERNAL_TLS_ENABLED=true
-INTERNAL_TLS_TRUST_CA_PATH=/etc/harbor/ssl/harbor_internal_ca.crt
+INTERNAL_TLS_TRUST_CA_PATH=/harbor_cust_cert/harbor_internal_ca.crt
 INTERNAL_TLS_KEY_PATH=/etc/harbor/ssl/job_service.key
 INTERNAL_TLS_CERT_PATH=/etc/harbor/ssl/job_service.crt
 {% endif %}
--- a/make/photon/prepare/templates/registryctl/env.jinja
+++ b/make/photon/prepare/templates/registryctl/env.jinja
@ -2,7 +2,7 @@ CORE_SECRET={{core_secret}}
 JOBSERVICE_SECRET={{jobservice_secret}}
 {%if internal_tls.enabled %}
 INTERNAL_TLS_ENABLED=true
-INTERNAL_TLS_TRUST_CA_PATH=/etc/harbor/ssl/harbor_internal_ca.crt
+INTERNAL_TLS_TRUST_CA_PATH=/harbor_cust_cert/harbor_internal_ca.crt
 INTERNAL_TLS_KEY_PATH=/etc/harbor/ssl/registryctl.key
 INTERNAL_TLS_CERT_PATH=/etc/harbor/ssl/registryctl.crt
 {% endif %}
--- a/src/common/http/client.go
+++ b/src/common/http/client.go
@ -16,6 +16,7 @@ package http

 import (
 	"bytes"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"io"
@ -44,11 +45,19 @@ var (
 )

 func init() {
+	secureHTTPTransport = &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: false,
+		},
+	}

-	secureHTTPTransport = http.DefaultTransport.(*http.Transport).Clone()
-
-	insecureHTTPTransport = http.DefaultTransport.(*http.Transport).Clone()
-	insecureHTTPTransport.TLSClientConfig.InsecureSkipVerify = true
+	insecureHTTPTransport = &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+		},
+	}

 	if InternalTLSEnabled() {
 		tlsConfig, err := GetInternalTLSConfig()
--- a/src/common/http/tls.go
+++ b/src/common/http/tls.go
@ -74,9 +74,6 @@ func GetInternalCertPair() (tls.Certificate, error) {

 // GetInternalTLSConfig return a tls.Config for internal https communicate
 func GetInternalTLSConfig() (*tls.Config, error) {
-	// generate ca pool
-	caCertPool := GetInternalCA(nil)
-
 	// genrate key pair
 	cert, err := GetInternalCertPair()
 	if err != nil {
@ -84,7 +81,6 @@ func GetInternalTLSConfig() (*tls.Config, error) {
 	}

 	return &tls.Config{
-		RootCAs:      caCertPool,
 		Certificates: []tls.Certificate{cert},
 	}, nil
 }
--- a/src/pkg/registry/client.go
+++ b/src/pkg/registry/client.go
@ -44,7 +44,7 @@ var (
 	Cli = func() Client {
 		url, _ := config.RegistryURL()
 		username, password := config.RegistryCredential()
-		return NewClient(url, username, password, true)
+		return NewClient(url, username, password, false)
 	}()

 	accepts = []string{
@ -54,13 +54,6 @@ var (
 		schema2.MediaTypeManifest,
 		schema1.MediaTypeSignedManifest,
 	}
-
-	localRegistryURL = map[string]bool{
-		"http://registry:5000":  true,
-		"https://registry:5443": true,
-		"http://core:8080":      true,
-		"https://core:10443":    true,
-	}
 )

 // const definition
@ -112,9 +105,6 @@ func NewClient(url, username, password string, insecure bool) Client {
 	} else {
 		transportType = commonhttp.SecureTransport
 	}
-	if _, ok := localRegistryURL[strings.TrimRight(url, "/")]; ok {
-		transportType = commonhttp.SecureTransport
-	}

 	return &client{
 		url:        url,
@ -133,9 +123,7 @@ func NewClientWithAuthorizer(url string, authorizer internal.Authorizer, insecur
 	} else {
 		transportType = commonhttp.SecureTransport
 	}
-	if _, ok := localRegistryURL[strings.TrimRight(url, "/")]; ok {
-		transportType = commonhttp.SecureTransport
-	}
+
 	return &client{
 		url:        url,
 		authorizer: authorizer,