mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-29 05:35:43 +01:00
Fix docker file with secure tls change
Signed-off-by: DQ <dengq@vmware.com>
This commit is contained in:
parent
115185894f
commit
03e11c63c7
@ -2,12 +2,18 @@ ARG harbor_base_image_version
|
||||
FROM goharbor/harbor-core-base:${harbor_base_image_version}
|
||||
|
||||
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v2.0/ping || exit 1
|
||||
COPY ./make/photon/common/install_cert.sh /harbor/
|
||||
COPY ./make/photon/core/entrypoint.sh /harbor/
|
||||
COPY ./make/photon/core/harbor_core /harbor/
|
||||
COPY ./src/core/views /harbor/views
|
||||
COPY ./make/migrations /harbor/migrations
|
||||
|
||||
RUN chmod u+x /harbor/harbor_core
|
||||
RUN chown -R harbor:harbor /etc/pki/tls/certs \
|
||||
&& chown harbor:harbor /harbor/entrypoint.sh && chmod u+x /harbor/entrypoint.sh \
|
||||
&& chown harbor:harbor /harbor/install_cert.sh && chmod u+x /harbor/install_cert.sh \
|
||||
&& chown harbor:harbor /harbor/harbor_core && chmod u+x /harbor/harbor_core
|
||||
|
||||
WORKDIR /harbor/
|
||||
USER harbor
|
||||
ENTRYPOINT ["/harbor/harbor_core"]
|
||||
ENTRYPOINT ["/harbor/entrypoint.sh"]
|
||||
COPY make/photon/prepare/versions /harbor/
|
||||
|
@ -2,5 +2,5 @@ FROM photon:2.0
|
||||
|
||||
RUN tdnf install sudo tzdata -y >> /dev/null \
|
||||
&& tdnf clean all \
|
||||
&& groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor \
|
||||
&& groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor \
|
||||
&& mkdir /harbor/
|
||||
|
7
make/photon/core/entrypoint.sh
Normal file
7
make/photon/core/entrypoint.sh
Normal file
@ -0,0 +1,7 @@
|
||||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
/harbor/install_cert.sh
|
||||
|
||||
/harbor/harbor_core
|
@ -1,9 +1,15 @@
|
||||
ARG harbor_base_image_version
|
||||
FROM goharbor/harbor-jobservice-base:${harbor_base_image_version}
|
||||
|
||||
COPY ./make/photon/common/install_cert.sh /harbor/
|
||||
COPY ./make/photon/jobservice/entrypoint.sh /harbor/
|
||||
COPY ./make/photon/jobservice/harbor_jobservice /harbor/
|
||||
|
||||
RUN chmod u+x /harbor/harbor_jobservice
|
||||
|
||||
RUN chown -R harbor:harbor /etc/pki/tls/certs \
|
||||
&& chown harbor:harbor /harbor/entrypoint.sh && chmod u+x /harbor/entrypoint.sh \
|
||||
&& chown harbor:harbor /harbor/install_cert.sh && chmod u+x /harbor/install_cert.sh \
|
||||
&& chown harbor:harbor /harbor/harbor_jobservice && chmod u+x /harbor/harbor_jobservice
|
||||
|
||||
WORKDIR /harbor/
|
||||
|
||||
@ -13,4 +19,4 @@ VOLUME ["/var/log/jobs/"]
|
||||
|
||||
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v1/stats || exit 1
|
||||
|
||||
ENTRYPOINT ["/harbor/harbor_jobservice", "-c", "/etc/jobservice/config.yml"]
|
||||
ENTRYPOINT ["/harbor/entrypoint.sh"]
|
||||
|
@ -2,4 +2,4 @@ FROM photon:2.0
|
||||
|
||||
RUN tdnf install sudo tzdata -y >> /dev/null \
|
||||
&& tdnf clean all \
|
||||
&& groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor
|
||||
&& groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor
|
||||
|
7
make/photon/jobservice/entrypoint.sh
Normal file
7
make/photon/jobservice/entrypoint.sh
Normal file
@ -0,0 +1,7 @@
|
||||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
/harbor/install_cert.sh
|
||||
|
||||
/harbor/harbor_jobservice -c /etc/jobservice/config.yml
|
@ -57,5 +57,5 @@ NO_PROXY={{core_no_proxy}}
|
||||
INTERNAL_TLS_ENABLED=true
|
||||
INTERNAL_TLS_KEY_PATH=/etc/harbor/ssl/core.key
|
||||
INTERNAL_TLS_CERT_PATH=/etc/harbor/ssl/core.crt
|
||||
INTERNAL_TLS_TRUST_CA_PATH=/etc/harbor/ssl/harbor_internal_ca.crt
|
||||
INTERNAL_TLS_TRUST_CA_PATH=/harbor_cust_cert/harbor_internal_ca.crt
|
||||
{% endif %}
|
@ -89,7 +89,7 @@ services:
|
||||
{%if internal_tls.enabled %}
|
||||
- type: bind
|
||||
source: {{internal_tls.harbor_internal_ca_crt_path}}
|
||||
target: /etc/harbor/ssl/harbor_internal_ca.crt
|
||||
target: /harbor_cust_cert/harbor_internal_ca.crt
|
||||
- type: bind
|
||||
source: {{internal_tls.registryctl_crt_path}}
|
||||
target: /etc/harbor/ssl/registryctl.crt
|
||||
@ -121,17 +121,6 @@ services:
|
||||
- SETUID
|
||||
volumes:
|
||||
- {{data_volume}}/database:/var/lib/postgresql/data:z
|
||||
{%if internal_tls.enabled %}
|
||||
- type: bind
|
||||
source: {{internal_tls.harbor_internal_ca_crt_path}}
|
||||
target: /etc/harbor/ssl/harbor_internal_ca.crt
|
||||
- type: bind
|
||||
source: {{internal_tls.harbor_db_crt_path}}
|
||||
target: /etc/harbor/ssl/harbor_db.crt
|
||||
- type: bind
|
||||
source: {{internal_tls.harbor_db_key_path}}
|
||||
target: /etc/harbor/ssl/harbor_db.key
|
||||
{% endif %}
|
||||
networks:
|
||||
harbor:
|
||||
{% if with_notary %}
|
||||
@ -187,7 +176,7 @@ services:
|
||||
{%if internal_tls.enabled %}
|
||||
- type: bind
|
||||
source: {{internal_tls.harbor_internal_ca_crt_path}}
|
||||
target: /etc/harbor/ssl/harbor_internal_ca.crt
|
||||
target: /harbor_cust_cert/harbor_internal_ca.crt
|
||||
- type: bind
|
||||
source: {{internal_tls.core_crt_path}}
|
||||
target: /etc/harbor/ssl/core.crt
|
||||
@ -267,7 +256,7 @@ services:
|
||||
{%if internal_tls.enabled %}
|
||||
- type: bind
|
||||
source: {{internal_tls.harbor_internal_ca_crt_path}}
|
||||
target: /etc/harbor/ssl/harbor_internal_ca.crt
|
||||
target: /harbor_cust_cert/harbor_internal_ca.crt
|
||||
- type: bind
|
||||
source: {{internal_tls.job_service_crt_path}}
|
||||
target: /etc/harbor/ssl/job_service.crt
|
||||
|
@ -1,4 +1,5 @@
|
||||
CORE_SECRET={{core_secret}}
|
||||
REGISTRY_URL={{registry_url}}
|
||||
JOBSERVICE_SECRET={{jobservice_secret}}
|
||||
CORE_URL={{core_url}}
|
||||
REGISTRY_CONTROLLER_URL={{registry_controller_url}}
|
||||
@ -6,7 +7,7 @@ JOBSERVICE_WEBHOOK_JOB_MAX_RETRY={{notification_webhook_job_max_retry}}
|
||||
|
||||
{%if internal_tls.enabled %}
|
||||
INTERNAL_TLS_ENABLED=true
|
||||
INTERNAL_TLS_TRUST_CA_PATH=/etc/harbor/ssl/harbor_internal_ca.crt
|
||||
INTERNAL_TLS_TRUST_CA_PATH=/harbor_cust_cert/harbor_internal_ca.crt
|
||||
INTERNAL_TLS_KEY_PATH=/etc/harbor/ssl/job_service.key
|
||||
INTERNAL_TLS_CERT_PATH=/etc/harbor/ssl/job_service.crt
|
||||
{% endif %}
|
||||
|
@ -2,7 +2,7 @@ CORE_SECRET={{core_secret}}
|
||||
JOBSERVICE_SECRET={{jobservice_secret}}
|
||||
{%if internal_tls.enabled %}
|
||||
INTERNAL_TLS_ENABLED=true
|
||||
INTERNAL_TLS_TRUST_CA_PATH=/etc/harbor/ssl/harbor_internal_ca.crt
|
||||
INTERNAL_TLS_TRUST_CA_PATH=/harbor_cust_cert/harbor_internal_ca.crt
|
||||
INTERNAL_TLS_KEY_PATH=/etc/harbor/ssl/registryctl.key
|
||||
INTERNAL_TLS_CERT_PATH=/etc/harbor/ssl/registryctl.crt
|
||||
{% endif %}
|
||||
|
@ -16,6 +16,7 @@ package http
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/tls"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"io"
|
||||
@ -44,11 +45,19 @@ var (
|
||||
)
|
||||
|
||||
func init() {
|
||||
secureHTTPTransport = &http.Transport{
|
||||
Proxy: http.ProxyFromEnvironment,
|
||||
TLSClientConfig: &tls.Config{
|
||||
InsecureSkipVerify: false,
|
||||
},
|
||||
}
|
||||
|
||||
secureHTTPTransport = http.DefaultTransport.(*http.Transport).Clone()
|
||||
|
||||
insecureHTTPTransport = http.DefaultTransport.(*http.Transport).Clone()
|
||||
insecureHTTPTransport.TLSClientConfig.InsecureSkipVerify = true
|
||||
insecureHTTPTransport = &http.Transport{
|
||||
Proxy: http.ProxyFromEnvironment,
|
||||
TLSClientConfig: &tls.Config{
|
||||
InsecureSkipVerify: true,
|
||||
},
|
||||
}
|
||||
|
||||
if InternalTLSEnabled() {
|
||||
tlsConfig, err := GetInternalTLSConfig()
|
||||
|
@ -74,9 +74,6 @@ func GetInternalCertPair() (tls.Certificate, error) {
|
||||
|
||||
// GetInternalTLSConfig return a tls.Config for internal https communicate
|
||||
func GetInternalTLSConfig() (*tls.Config, error) {
|
||||
// generate ca pool
|
||||
caCertPool := GetInternalCA(nil)
|
||||
|
||||
// genrate key pair
|
||||
cert, err := GetInternalCertPair()
|
||||
if err != nil {
|
||||
@ -84,7 +81,6 @@ func GetInternalTLSConfig() (*tls.Config, error) {
|
||||
}
|
||||
|
||||
return &tls.Config{
|
||||
RootCAs: caCertPool,
|
||||
Certificates: []tls.Certificate{cert},
|
||||
}, nil
|
||||
}
|
||||
|
@ -44,7 +44,7 @@ var (
|
||||
Cli = func() Client {
|
||||
url, _ := config.RegistryURL()
|
||||
username, password := config.RegistryCredential()
|
||||
return NewClient(url, username, password, true)
|
||||
return NewClient(url, username, password, false)
|
||||
}()
|
||||
|
||||
accepts = []string{
|
||||
@ -54,13 +54,6 @@ var (
|
||||
schema2.MediaTypeManifest,
|
||||
schema1.MediaTypeSignedManifest,
|
||||
}
|
||||
|
||||
localRegistryURL = map[string]bool{
|
||||
"http://registry:5000": true,
|
||||
"https://registry:5443": true,
|
||||
"http://core:8080": true,
|
||||
"https://core:10443": true,
|
||||
}
|
||||
)
|
||||
|
||||
// const definition
|
||||
@ -112,9 +105,6 @@ func NewClient(url, username, password string, insecure bool) Client {
|
||||
} else {
|
||||
transportType = commonhttp.SecureTransport
|
||||
}
|
||||
if _, ok := localRegistryURL[strings.TrimRight(url, "/")]; ok {
|
||||
transportType = commonhttp.SecureTransport
|
||||
}
|
||||
|
||||
return &client{
|
||||
url: url,
|
||||
@ -133,9 +123,7 @@ func NewClientWithAuthorizer(url string, authorizer internal.Authorizer, insecur
|
||||
} else {
|
||||
transportType = commonhttp.SecureTransport
|
||||
}
|
||||
if _, ok := localRegistryURL[strings.TrimRight(url, "/")]; ok {
|
||||
transportType = commonhttp.SecureTransport
|
||||
}
|
||||
|
||||
return &client{
|
||||
url: url,
|
||||
authorizer: authorizer,
|
||||
|
Loading…
Reference in New Issue
Block a user