Feat: enable tls in registryctlAdd tls related code in registryctl

Signed-off-by: DQ <dengq@vmware.com>
2025-01-03 06:28:06 +01:00 · 2020-02-11 14:39:19 +08:00 · 2020-02-11 14:39:19 +08:00 · 07a1d51693
commit 07a1d51693
parent 10753caf90
3 changed files with 11 additions and 19 deletions
--- a/make/photon/prepare/models.py
+++ b/make/photon/prepare/models.py
@ -117,9 +117,8 @@ class InternalTLS:
            logging.info('internal tls NOT enabled...')
            return
        original_tls_dir = get_realpath(self.tls_dir)
+        if internal_tls_dir.exists():
            rmtree(internal_tls_dir)
-        if not internal_tls_dir.exists():
-            os.makedirs(internal_tls_dir)
        copytree(original_tls_dir, internal_tls_dir, symlinks=True)

        for file in internal_tls_dir.iterdir():
--- a/src/registryctl/client/client.go
+++ b/src/registryctl/client/client.go
@ -57,7 +57,9 @@ func NewClient(baseURL string, cfg *Config) Client {
 	}
 	if cfg != nil {
 		authorizer := auth.NewSecretAuthorizer(cfg.Secret)
-		client.client = common_http.NewClient(nil, authorizer)
+		client.client = common_http.NewClient(&http.Client{
+			Transport: common_http.GetHTTPTransport(common_http.InternalTransport),
+		}, authorizer)
 	}
 	return client
 }
--- a/src/registryctl/main.go
+++ b/src/registryctl/main.go
@ -19,6 +19,7 @@ import (
 	"flag"
 	"net/http"

+	commonhttp "github.com/goharbor/harbor/src/common/http"
 	"github.com/goharbor/harbor/src/common/utils/log"
 	"github.com/goharbor/harbor/src/registryctl/config"
 	"github.com/goharbor/harbor/src/registryctl/handlers"
@ -37,25 +38,15 @@ func (s *RegistryCtl) Start() {
 		Handler: s.Handler,
 	}

-	if s.ServerConf.Protocol == "HTTPS" {
-		tlsCfg := &tls.Config{
-			MinVersion:               tls.VersionTLS12,
-			CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
-			PreferServerCipherSuites: true,
-			CipherSuites: []uint16{
-				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-				tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-				tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
-				tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-			},
+	if s.ServerConf.Protocol == "https" {
+		regCtl.TLSConfig = &tls.Config{
+			ClientAuth: tls.RequireAndVerifyClientCert,
+			ClientCAs:  commonhttp.GetInternalCA(nil),
 		}
-
-		regCtl.TLSConfig = tlsCfg
-		regCtl.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0)
 	}

 	var err error
-	if s.ServerConf.Protocol == "HTTPS" {
+	if s.ServerConf.Protocol == "https" {
 		err = regCtl.ListenAndServeTLS(s.ServerConf.HTTPSConfig.Cert, s.ServerConf.HTTPSConfig.Key)
 	} else {
 		err = regCtl.ListenAndServe()