Feat: enable tls in registryctlAdd tls related code in registryctl

Signed-off-by: DQ <dengq@vmware.com>
This commit is contained in:
DQ 2020-02-11 14:39:19 +08:00
parent 10753caf90
commit 07a1d51693
3 changed files with 11 additions and 19 deletions

View File

@ -117,9 +117,8 @@ class InternalTLS:
logging.info('internal tls NOT enabled...') logging.info('internal tls NOT enabled...')
return return
original_tls_dir = get_realpath(self.tls_dir) original_tls_dir = get_realpath(self.tls_dir)
if internal_tls_dir.exists():
rmtree(internal_tls_dir) rmtree(internal_tls_dir)
if not internal_tls_dir.exists():
os.makedirs(internal_tls_dir)
copytree(original_tls_dir, internal_tls_dir, symlinks=True) copytree(original_tls_dir, internal_tls_dir, symlinks=True)
for file in internal_tls_dir.iterdir(): for file in internal_tls_dir.iterdir():

View File

@ -57,7 +57,9 @@ func NewClient(baseURL string, cfg *Config) Client {
} }
if cfg != nil { if cfg != nil {
authorizer := auth.NewSecretAuthorizer(cfg.Secret) authorizer := auth.NewSecretAuthorizer(cfg.Secret)
client.client = common_http.NewClient(nil, authorizer) client.client = common_http.NewClient(&http.Client{
Transport: common_http.GetHTTPTransport(common_http.InternalTransport),
}, authorizer)
} }
return client return client
} }

View File

@ -19,6 +19,7 @@ import (
"flag" "flag"
"net/http" "net/http"
commonhttp "github.com/goharbor/harbor/src/common/http"
"github.com/goharbor/harbor/src/common/utils/log" "github.com/goharbor/harbor/src/common/utils/log"
"github.com/goharbor/harbor/src/registryctl/config" "github.com/goharbor/harbor/src/registryctl/config"
"github.com/goharbor/harbor/src/registryctl/handlers" "github.com/goharbor/harbor/src/registryctl/handlers"
@ -37,25 +38,15 @@ func (s *RegistryCtl) Start() {
Handler: s.Handler, Handler: s.Handler,
} }
if s.ServerConf.Protocol == "HTTPS" { if s.ServerConf.Protocol == "https" {
tlsCfg := &tls.Config{ regCtl.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12, ClientAuth: tls.RequireAndVerifyClientCert,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, ClientCAs: commonhttp.GetInternalCA(nil),
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
},
} }
regCtl.TLSConfig = tlsCfg
regCtl.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0)
} }
var err error var err error
if s.ServerConf.Protocol == "HTTPS" { if s.ServerConf.Protocol == "https" {
err = regCtl.ListenAndServeTLS(s.ServerConf.HTTPSConfig.Cert, s.ServerConf.HTTPSConfig.Key) err = regCtl.ListenAndServeTLS(s.ServerConf.HTTPSConfig.Cert, s.ServerConf.HTTPSConfig.Key)
} else { } else {
err = regCtl.ListenAndServe() err = regCtl.ListenAndServe()