Fix docker file with secure tls change

Signed-off-by: DQ <dengq@vmware.com>
This commit is contained in:
DQ 2020-03-12 02:13:58 +08:00
parent 115185894f
commit 03e11c63c7
13 changed files with 54 additions and 45 deletions

View File

@ -2,12 +2,18 @@ ARG harbor_base_image_version
FROM goharbor/harbor-core-base:${harbor_base_image_version} FROM goharbor/harbor-core-base:${harbor_base_image_version}
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v2.0/ping || exit 1 HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v2.0/ping || exit 1
COPY ./make/photon/common/install_cert.sh /harbor/
COPY ./make/photon/core/entrypoint.sh /harbor/
COPY ./make/photon/core/harbor_core /harbor/ COPY ./make/photon/core/harbor_core /harbor/
COPY ./src/core/views /harbor/views COPY ./src/core/views /harbor/views
COPY ./make/migrations /harbor/migrations COPY ./make/migrations /harbor/migrations
RUN chmod u+x /harbor/harbor_core RUN chown -R harbor:harbor /etc/pki/tls/certs \
&& chown harbor:harbor /harbor/entrypoint.sh && chmod u+x /harbor/entrypoint.sh \
&& chown harbor:harbor /harbor/install_cert.sh && chmod u+x /harbor/install_cert.sh \
&& chown harbor:harbor /harbor/harbor_core && chmod u+x /harbor/harbor_core
WORKDIR /harbor/ WORKDIR /harbor/
USER harbor USER harbor
ENTRYPOINT ["/harbor/harbor_core"] ENTRYPOINT ["/harbor/entrypoint.sh"]
COPY make/photon/prepare/versions /harbor/ COPY make/photon/prepare/versions /harbor/

View File

@ -2,5 +2,5 @@ FROM photon:2.0
RUN tdnf install sudo tzdata -y >> /dev/null \ RUN tdnf install sudo tzdata -y >> /dev/null \
&& tdnf clean all \ && tdnf clean all \
&& groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor \ && groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor \
&& mkdir /harbor/ && mkdir /harbor/

View File

@ -0,0 +1,7 @@
#!/bin/sh
set -e
/harbor/install_cert.sh
/harbor/harbor_core

View File

@ -1,9 +1,15 @@
ARG harbor_base_image_version ARG harbor_base_image_version
FROM goharbor/harbor-jobservice-base:${harbor_base_image_version} FROM goharbor/harbor-jobservice-base:${harbor_base_image_version}
COPY ./make/photon/common/install_cert.sh /harbor/
COPY ./make/photon/jobservice/entrypoint.sh /harbor/
COPY ./make/photon/jobservice/harbor_jobservice /harbor/ COPY ./make/photon/jobservice/harbor_jobservice /harbor/
RUN chmod u+x /harbor/harbor_jobservice
RUN chown -R harbor:harbor /etc/pki/tls/certs \
&& chown harbor:harbor /harbor/entrypoint.sh && chmod u+x /harbor/entrypoint.sh \
&& chown harbor:harbor /harbor/install_cert.sh && chmod u+x /harbor/install_cert.sh \
&& chown harbor:harbor /harbor/harbor_jobservice && chmod u+x /harbor/harbor_jobservice
WORKDIR /harbor/ WORKDIR /harbor/
@ -13,4 +19,4 @@ VOLUME ["/var/log/jobs/"]
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v1/stats || exit 1 HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v1/stats || exit 1
ENTRYPOINT ["/harbor/harbor_jobservice", "-c", "/etc/jobservice/config.yml"] ENTRYPOINT ["/harbor/entrypoint.sh"]

View File

@ -2,4 +2,4 @@ FROM photon:2.0
RUN tdnf install sudo tzdata -y >> /dev/null \ RUN tdnf install sudo tzdata -y >> /dev/null \
&& tdnf clean all \ && tdnf clean all \
&& groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor && groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor

View File

@ -0,0 +1,7 @@
#!/bin/sh
set -e
/harbor/install_cert.sh
/harbor/harbor_jobservice -c /etc/jobservice/config.yml

View File

@ -57,5 +57,5 @@ NO_PROXY={{core_no_proxy}}
INTERNAL_TLS_ENABLED=true INTERNAL_TLS_ENABLED=true
INTERNAL_TLS_KEY_PATH=/etc/harbor/ssl/core.key INTERNAL_TLS_KEY_PATH=/etc/harbor/ssl/core.key
INTERNAL_TLS_CERT_PATH=/etc/harbor/ssl/core.crt INTERNAL_TLS_CERT_PATH=/etc/harbor/ssl/core.crt
INTERNAL_TLS_TRUST_CA_PATH=/etc/harbor/ssl/harbor_internal_ca.crt INTERNAL_TLS_TRUST_CA_PATH=/harbor_cust_cert/harbor_internal_ca.crt
{% endif %} {% endif %}

View File

@ -89,7 +89,7 @@ services:
{%if internal_tls.enabled %} {%if internal_tls.enabled %}
- type: bind - type: bind
source: {{internal_tls.harbor_internal_ca_crt_path}} source: {{internal_tls.harbor_internal_ca_crt_path}}
target: /etc/harbor/ssl/harbor_internal_ca.crt target: /harbor_cust_cert/harbor_internal_ca.crt
- type: bind - type: bind
source: {{internal_tls.registryctl_crt_path}} source: {{internal_tls.registryctl_crt_path}}
target: /etc/harbor/ssl/registryctl.crt target: /etc/harbor/ssl/registryctl.crt
@ -121,17 +121,6 @@ services:
- SETUID - SETUID
volumes: volumes:
- {{data_volume}}/database:/var/lib/postgresql/data:z - {{data_volume}}/database:/var/lib/postgresql/data:z
{%if internal_tls.enabled %}
- type: bind
source: {{internal_tls.harbor_internal_ca_crt_path}}
target: /etc/harbor/ssl/harbor_internal_ca.crt
- type: bind
source: {{internal_tls.harbor_db_crt_path}}
target: /etc/harbor/ssl/harbor_db.crt
- type: bind
source: {{internal_tls.harbor_db_key_path}}
target: /etc/harbor/ssl/harbor_db.key
{% endif %}
networks: networks:
harbor: harbor:
{% if with_notary %} {% if with_notary %}
@ -187,7 +176,7 @@ services:
{%if internal_tls.enabled %} {%if internal_tls.enabled %}
- type: bind - type: bind
source: {{internal_tls.harbor_internal_ca_crt_path}} source: {{internal_tls.harbor_internal_ca_crt_path}}
target: /etc/harbor/ssl/harbor_internal_ca.crt target: /harbor_cust_cert/harbor_internal_ca.crt
- type: bind - type: bind
source: {{internal_tls.core_crt_path}} source: {{internal_tls.core_crt_path}}
target: /etc/harbor/ssl/core.crt target: /etc/harbor/ssl/core.crt
@ -267,7 +256,7 @@ services:
{%if internal_tls.enabled %} {%if internal_tls.enabled %}
- type: bind - type: bind
source: {{internal_tls.harbor_internal_ca_crt_path}} source: {{internal_tls.harbor_internal_ca_crt_path}}
target: /etc/harbor/ssl/harbor_internal_ca.crt target: /harbor_cust_cert/harbor_internal_ca.crt
- type: bind - type: bind
source: {{internal_tls.job_service_crt_path}} source: {{internal_tls.job_service_crt_path}}
target: /etc/harbor/ssl/job_service.crt target: /etc/harbor/ssl/job_service.crt

View File

@ -1,4 +1,5 @@
CORE_SECRET={{core_secret}} CORE_SECRET={{core_secret}}
REGISTRY_URL={{registry_url}}
JOBSERVICE_SECRET={{jobservice_secret}} JOBSERVICE_SECRET={{jobservice_secret}}
CORE_URL={{core_url}} CORE_URL={{core_url}}
REGISTRY_CONTROLLER_URL={{registry_controller_url}} REGISTRY_CONTROLLER_URL={{registry_controller_url}}
@ -6,7 +7,7 @@ JOBSERVICE_WEBHOOK_JOB_MAX_RETRY={{notification_webhook_job_max_retry}}
{%if internal_tls.enabled %} {%if internal_tls.enabled %}
INTERNAL_TLS_ENABLED=true INTERNAL_TLS_ENABLED=true
INTERNAL_TLS_TRUST_CA_PATH=/etc/harbor/ssl/harbor_internal_ca.crt INTERNAL_TLS_TRUST_CA_PATH=/harbor_cust_cert/harbor_internal_ca.crt
INTERNAL_TLS_KEY_PATH=/etc/harbor/ssl/job_service.key INTERNAL_TLS_KEY_PATH=/etc/harbor/ssl/job_service.key
INTERNAL_TLS_CERT_PATH=/etc/harbor/ssl/job_service.crt INTERNAL_TLS_CERT_PATH=/etc/harbor/ssl/job_service.crt
{% endif %} {% endif %}

View File

@ -2,7 +2,7 @@ CORE_SECRET={{core_secret}}
JOBSERVICE_SECRET={{jobservice_secret}} JOBSERVICE_SECRET={{jobservice_secret}}
{%if internal_tls.enabled %} {%if internal_tls.enabled %}
INTERNAL_TLS_ENABLED=true INTERNAL_TLS_ENABLED=true
INTERNAL_TLS_TRUST_CA_PATH=/etc/harbor/ssl/harbor_internal_ca.crt INTERNAL_TLS_TRUST_CA_PATH=/harbor_cust_cert/harbor_internal_ca.crt
INTERNAL_TLS_KEY_PATH=/etc/harbor/ssl/registryctl.key INTERNAL_TLS_KEY_PATH=/etc/harbor/ssl/registryctl.key
INTERNAL_TLS_CERT_PATH=/etc/harbor/ssl/registryctl.crt INTERNAL_TLS_CERT_PATH=/etc/harbor/ssl/registryctl.crt
{% endif %} {% endif %}

View File

@ -16,6 +16,7 @@ package http
import ( import (
"bytes" "bytes"
"crypto/tls"
"encoding/json" "encoding/json"
"errors" "errors"
"io" "io"
@ -44,11 +45,19 @@ var (
) )
func init() { func init() {
secureHTTPTransport = &http.Transport{
Proxy: http.ProxyFromEnvironment,
TLSClientConfig: &tls.Config{
InsecureSkipVerify: false,
},
}
secureHTTPTransport = http.DefaultTransport.(*http.Transport).Clone() insecureHTTPTransport = &http.Transport{
Proxy: http.ProxyFromEnvironment,
insecureHTTPTransport = http.DefaultTransport.(*http.Transport).Clone() TLSClientConfig: &tls.Config{
insecureHTTPTransport.TLSClientConfig.InsecureSkipVerify = true InsecureSkipVerify: true,
},
}
if InternalTLSEnabled() { if InternalTLSEnabled() {
tlsConfig, err := GetInternalTLSConfig() tlsConfig, err := GetInternalTLSConfig()

View File

@ -74,9 +74,6 @@ func GetInternalCertPair() (tls.Certificate, error) {
// GetInternalTLSConfig return a tls.Config for internal https communicate // GetInternalTLSConfig return a tls.Config for internal https communicate
func GetInternalTLSConfig() (*tls.Config, error) { func GetInternalTLSConfig() (*tls.Config, error) {
// generate ca pool
caCertPool := GetInternalCA(nil)
// genrate key pair // genrate key pair
cert, err := GetInternalCertPair() cert, err := GetInternalCertPair()
if err != nil { if err != nil {
@ -84,7 +81,6 @@ func GetInternalTLSConfig() (*tls.Config, error) {
} }
return &tls.Config{ return &tls.Config{
RootCAs: caCertPool,
Certificates: []tls.Certificate{cert}, Certificates: []tls.Certificate{cert},
}, nil }, nil
} }

View File

@ -44,7 +44,7 @@ var (
Cli = func() Client { Cli = func() Client {
url, _ := config.RegistryURL() url, _ := config.RegistryURL()
username, password := config.RegistryCredential() username, password := config.RegistryCredential()
return NewClient(url, username, password, true) return NewClient(url, username, password, false)
}() }()
accepts = []string{ accepts = []string{
@ -54,13 +54,6 @@ var (
schema2.MediaTypeManifest, schema2.MediaTypeManifest,
schema1.MediaTypeSignedManifest, schema1.MediaTypeSignedManifest,
} }
localRegistryURL = map[string]bool{
"http://registry:5000": true,
"https://registry:5443": true,
"http://core:8080": true,
"https://core:10443": true,
}
) )
// const definition // const definition
@ -112,9 +105,6 @@ func NewClient(url, username, password string, insecure bool) Client {
} else { } else {
transportType = commonhttp.SecureTransport transportType = commonhttp.SecureTransport
} }
if _, ok := localRegistryURL[strings.TrimRight(url, "/")]; ok {
transportType = commonhttp.SecureTransport
}
return &client{ return &client{
url: url, url: url,
@ -133,9 +123,7 @@ func NewClientWithAuthorizer(url string, authorizer internal.Authorizer, insecur
} else { } else {
transportType = commonhttp.SecureTransport transportType = commonhttp.SecureTransport
} }
if _, ok := localRegistryURL[strings.TrimRight(url, "/")]; ok {
transportType = commonhttp.SecureTransport
}
return &client{ return &client{
url: url, url: url,
authorizer: authorizer, authorizer: authorizer,