From 07a1d516939571178f40a8887c56dd67276e9e54 Mon Sep 17 00:00:00 2001 From: DQ Date: Tue, 11 Feb 2020 14:39:19 +0800 Subject: [PATCH] Feat: enable tls in registryctlAdd tls related code in registryctl Signed-off-by: DQ --- make/photon/prepare/models.py | 5 ++--- src/registryctl/client/client.go | 4 +++- src/registryctl/main.go | 21 ++++++--------------- 3 files changed, 11 insertions(+), 19 deletions(-) diff --git a/make/photon/prepare/models.py b/make/photon/prepare/models.py index 6c043ba70..555cc50cf 100644 --- a/make/photon/prepare/models.py +++ b/make/photon/prepare/models.py @@ -117,9 +117,8 @@ class InternalTLS: logging.info('internal tls NOT enabled...') return original_tls_dir = get_realpath(self.tls_dir) - rmtree(internal_tls_dir) - if not internal_tls_dir.exists(): - os.makedirs(internal_tls_dir) + if internal_tls_dir.exists(): + rmtree(internal_tls_dir) copytree(original_tls_dir, internal_tls_dir, symlinks=True) for file in internal_tls_dir.iterdir(): diff --git a/src/registryctl/client/client.go b/src/registryctl/client/client.go index fc6453680..e10589496 100644 --- a/src/registryctl/client/client.go +++ b/src/registryctl/client/client.go @@ -57,7 +57,9 @@ func NewClient(baseURL string, cfg *Config) Client { } if cfg != nil { authorizer := auth.NewSecretAuthorizer(cfg.Secret) - client.client = common_http.NewClient(nil, authorizer) + client.client = common_http.NewClient(&http.Client{ + Transport: common_http.GetHTTPTransport(common_http.InternalTransport), + }, authorizer) } return client } diff --git a/src/registryctl/main.go b/src/registryctl/main.go index 835403427..e0509665e 100644 --- a/src/registryctl/main.go +++ b/src/registryctl/main.go @@ -19,6 +19,7 @@ import ( "flag" "net/http" + commonhttp "github.com/goharbor/harbor/src/common/http" "github.com/goharbor/harbor/src/common/utils/log" "github.com/goharbor/harbor/src/registryctl/config" "github.com/goharbor/harbor/src/registryctl/handlers" @@ -37,25 +38,15 @@ func (s *RegistryCtl) Start() { Handler: s.Handler, } - if s.ServerConf.Protocol == "HTTPS" { - tlsCfg := &tls.Config{ - MinVersion: tls.VersionTLS12, - CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, - PreferServerCipherSuites: true, - CipherSuites: []uint16{ - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - tls.TLS_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_RSA_WITH_AES_256_CBC_SHA, - }, + if s.ServerConf.Protocol == "https" { + regCtl.TLSConfig = &tls.Config{ + ClientAuth: tls.RequireAndVerifyClientCert, + ClientCAs: commonhttp.GetInternalCA(nil), } - - regCtl.TLSConfig = tlsCfg - regCtl.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0) } var err error - if s.ServerConf.Protocol == "HTTPS" { + if s.ServerConf.Protocol == "https" { err = regCtl.ListenAndServeTLS(s.ServerConf.HTTPSConfig.Cert, s.ServerConf.HTTPSConfig.Key) } else { err = regCtl.ListenAndServe()