Merge internal Transport and Secure Transport

Signed-off-by: DQ <dengq@vmware.com>
2024-06-29 00:05:09 +02:00 · 2020-03-11 14:40:12 +08:00 · 2020-03-11 14:40:12 +08:00 · 115185894f
commit 115185894f
parent 02dea3ad2c
12 changed files with 30 additions and 56 deletions
--- a/src/chartserver/client.go
+++ b/src/chartserver/client.go
@ -31,7 +31,7 @@ type ChartClient struct {
 // NewChartClient is constructor of ChartClient
 // credential can be nil
 func NewChartClient(credential *Credential) *ChartClient { // Create http client with customized timeouts
-	tr := commonhttp.GetHTTPTransport(commonhttp.InternalTransport)
+	tr := commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
 	tr.MaxIdleConns = maxIdleConnections
 	tr.IdleConnTimeout = idleConnectionTimeout
 	client := &http.Client{
--- a/src/chartserver/reverse_proxy.go
+++ b/src/chartserver/reverse_proxy.go
@ -58,7 +58,7 @@ func NewProxyEngine(target *url.URL, cred *Credential, middlewares ...func(http.
 			director(target, cred, req)
 		},
 		ModifyResponse: modifyResponse,
-		Transport:      commonhttp.GetHTTPTransport(commonhttp.InternalTransport),
+		Transport:      commonhttp.GetHTTPTransport(commonhttp.SecureTransport),
 	}

 	if len(middlewares) > 0 {
--- a/src/common/config/store/driver/rest.go
+++ b/src/common/config/store/driver/rest.go
@ -18,7 +18,7 @@ type RESTDriver struct {
 // NewRESTDriver - Create RESTDriver
 func NewRESTDriver(configRESTURL string, modifiers ...modifier.Modifier) *RESTDriver {
 	if commonhttp.InternalTLSEnabled() {
-		tr := commonhttp.GetHTTPTransport(commonhttp.InternalTransport)
+		tr := commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
 		return &RESTDriver{configRESTURL: configRESTURL, client: commonhttp.NewClient(&http.Client{Transport: tr}, modifiers...)}

 	}
--- a/src/common/http/client.go
+++ b/src/common/http/client.go
@ -16,16 +16,16 @@ package http

 import (
 	"bytes"
-	"crypto/tls"
 	"encoding/json"
 	"errors"
-	"github.com/goharbor/harbor/src/common/http/modifier"
-	"github.com/goharbor/harbor/src/internal"
 	"io"
 	"io/ioutil"
 	"net/http"
 	"net/url"
 	"reflect"
+
+	"github.com/goharbor/harbor/src/common/http/modifier"
+	"github.com/goharbor/harbor/src/internal"
 )

 const (
@ -33,8 +33,7 @@ const (
 	DefaultTransport = iota
 	// InsecureTransport used to get the insecure http Transport
 	InsecureTransport
-	// InternalTransport used to get the internal secure http Transport
-	InternalTransport
+
 	// SecureTransport used to get the external secure http Transport
 	SecureTransport
 )
@ -42,26 +41,22 @@ const (
 var (
 	secureHTTPTransport   *http.Transport
 	insecureHTTPTransport *http.Transport
-	internalTransport     *http.Transport
 )

 func init() {

-	secureHTTPTransport = &http.Transport{
-		Proxy: http.ProxyFromEnvironment,
-		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: false,
-		},
-	}
+	secureHTTPTransport = http.DefaultTransport.(*http.Transport).Clone()

-	insecureHTTPTransport = &http.Transport{
-		Proxy: http.ProxyFromEnvironment,
-		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: true,
-		},
-	}
+	insecureHTTPTransport = http.DefaultTransport.(*http.Transport).Clone()
+	insecureHTTPTransport.TLSClientConfig.InsecureSkipVerify = true

-	initInternalTransport()
+	if InternalTLSEnabled() {
+		tlsConfig, err := GetInternalTLSConfig()
+		if err != nil {
+			panic(err)
+		}
+		secureHTTPTransport.TLSClientConfig = tlsConfig
+	}
 }

 // Client is a util for common HTTP operations, such Get, Head, Post, Put and Delete.
@ -71,24 +66,6 @@ type Client struct {
 	client    *http.Client
 }

-func initInternalTransport() {
-	if InternalTLSEnabled() {
-		tlsConfig, err := GetInternalTLSConfig()
-		if err != nil {
-			panic(err)
-		}
-		internalTransport = &http.Transport{
-			TLSClientConfig: tlsConfig,
-		}
-	} else {
-		internalTransport = &http.Transport{
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-		}
-	}
-}
-
 // GetHTTPTransport returns HttpTransport based on insecure configuration
 func GetHTTPTransport(clientType uint) *http.Transport {
 	switch clientType {
@ -96,8 +73,6 @@ func GetHTTPTransport(clientType uint) *http.Transport {
 		return secureHTTPTransport.Clone()
 	case InsecureTransport:
 		return insecureHTTPTransport.Clone()
-	case InternalTransport:
-		return internalTransport.Clone()
 	default:
 		// default Transport is secure one
 		return secureHTTPTransport.Clone()
--- a/src/common/job/client.go
+++ b/src/common/job/client.go
@ -63,7 +63,7 @@ func Init() {
 func NewDefaultClient(endpoint, secret string) *DefaultClient {
 	var c *commonhttp.Client
 	httpCli := &http.Client{
-		Transport: commonhttp.GetHTTPTransport(commonhttp.InternalTransport),
+		Transport: commonhttp.GetHTTPTransport(commonhttp.SecureTransport),
 	}
 	if len(secret) > 0 {
 		c = commonhttp.NewClient(httpCli, auth.NewSecretAuthorizer(secret))
@ -81,7 +81,7 @@ func NewDefaultClient(endpoint, secret string) *DefaultClient {
 func NewReplicationClient(endpoint, secret string) *DefaultClient {
 	var tr *http.Transport
 	if endpoint == config.InternalCoreURL() {
-		tr = commonhttp.GetHTTPTransport(commonhttp.InternalTransport)
+		tr = commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
 	} else {
 		tr = commonhttp.GetHTTPTransport(commonhttp.DefaultTransport)
 	}
--- a/src/core/api/health.go
+++ b/src/core/api/health.go
@ -131,7 +131,7 @@ func HTTPStatusCodeHealthChecker(method string, url string, header http.Header,
 		}

 		client := httputil.NewClient(&http.Client{
-			Transport: httputil.GetHTTPTransport(httputil.InternalTransport),
+			Transport: httputil.GetHTTPTransport(httputil.SecureTransport),
 			Timeout:   timeout,
 		})
 		resp, err := client.Do(req)
--- a/src/core/main.go
+++ b/src/core/main.go
@ -19,7 +19,6 @@ import (
 	"fmt"
 	"os"
 	"os/signal"
-	"strings"
 	"syscall"
 	"time"

@ -27,6 +26,7 @@ import (
 	_ "github.com/astaxie/beego/session/redis"
 	_ "github.com/goharbor/harbor/src/api/event/handler"
 	"github.com/goharbor/harbor/src/common/dao"
+	common_http "github.com/goharbor/harbor/src/common/http"
 	"github.com/goharbor/harbor/src/common/job"
 	"github.com/goharbor/harbor/src/common/models"
 	"github.com/goharbor/harbor/src/common/utils"
@ -162,15 +162,14 @@ func main() {

 	server.RegisterRoutes()

-	iTLSEnabled := os.Getenv("INTERNAL_TLS_ENABLED")
-	if strings.ToLower(iTLSEnabled) == "true" {
+	if common_http.InternalTLSEnabled() {
 		log.Info("internal TLS enabled, Init TLS ...")
 		iTLSKeyPath := os.Getenv("INTERNAL_TLS_KEY_PATH")
 		iTLSCertPath := os.Getenv("INTERNAL_TLS_CERT_PATH")
-		iTrustCA := os.Getenv("INTERNAL_TLS_TRUST_CA_PATH")

-		log.Infof("load client key: %s client cert: %s client TrustCA %s", iTLSKeyPath, iTLSCertPath, iTrustCA)
+		log.Infof("load client key: %s client cert: %s", iTLSKeyPath, iTLSCertPath)
 		// uncomment following if harbor2 is ready
+		// iTrustCA := os.Getenv("INTERNAL_TLS_TRUST_CA_PATH")
 		// beego.BConfig.Listen.EnableMutualHTTPS = true
 		// beego.BConfig.Listen.TrustCaFile = iTrustCA
 		beego.BConfig.Listen.EnableHTTPS = true
--- a/src/jobservice/job/impl/replication/scheduler.go
+++ b/src/jobservice/job/impl/replication/scheduler.go
@ -60,7 +60,7 @@ func (s *Scheduler) Run(ctx job.Context, params job.Parameters) error {
 	policyID := (int64)(params["policy_id"].(float64))
 	cred := auth.NewSecretAuthorizer(os.Getenv("JOBSERVICE_SECRET"))
 	client := common_http.NewClient(&http.Client{
-		Transport: common_http.GetHTTPTransport(common_http.InternalTransport),
+		Transport: common_http.GetHTTPTransport(common_http.SecureTransport),
 	}, cred)
 	if err := client.Post(url, struct {
 		PolicyID int64 `json:"policy_id"`
--- a/src/pkg/registry/client.go
+++ b/src/pkg/registry/client.go
@ -113,7 +113,7 @@ func NewClient(url, username, password string, insecure bool) Client {
 		transportType = commonhttp.SecureTransport
 	}
 	if _, ok := localRegistryURL[strings.TrimRight(url, "/")]; ok {
-		transportType = commonhttp.InternalTransport
+		transportType = commonhttp.SecureTransport
 	}

 	return &client{
@ -134,7 +134,7 @@ func NewClientWithAuthorizer(url string, authorizer internal.Authorizer, insecur
 		transportType = commonhttp.SecureTransport
 	}
 	if _, ok := localRegistryURL[strings.TrimRight(url, "/")]; ok {
-		transportType = commonhttp.InternalTransport
+		transportType = commonhttp.SecureTransport
 	}
 	return &client{
 		url:        url,
--- a/src/registryctl/client/client.go
+++ b/src/registryctl/client/client.go
@ -58,7 +58,7 @@ func NewClient(baseURL string, cfg *Config) Client {
 	if cfg != nil {
 		authorizer := auth.NewSecretAuthorizer(cfg.Secret)
 		client.client = common_http.NewClient(&http.Client{
-			Transport: common_http.GetHTTPTransport(common_http.InternalTransport),
+			Transport: common_http.GetHTTPTransport(common_http.SecureTransport),
 		}, authorizer)
 	}
 	return client
--- a/src/replication/adapter/harbor/adapter.go
+++ b/src/replication/adapter/harbor/adapter.go
@ -72,7 +72,7 @@ type adapter struct {
 func newAdapter(registry *model.Registry) (*adapter, error) {
 	var transport *http.Transport
 	if registry.URL == config.GetCoreURL() {
-		transport = common_http.GetHTTPTransport(common_http.InternalTransport)
+		transport = common_http.GetHTTPTransport(common_http.SecureTransport)
 	} else {
 		transport = util.GetHTTPTransport(registry.Insecure)
 	}
--- a/src/server/registry/proxy.go
+++ b/src/server/registry/proxy.go
@ -34,7 +34,7 @@ func newProxy() http.Handler {
 	}
 	proxy := httputil.NewSingleHostReverseProxy(url)
 	if commonhttp.InternalTLSEnabled() {
-		proxy.Transport = commonhttp.GetHTTPTransport(commonhttp.InternalTransport)
+		proxy.Transport = commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
 	}

 	proxy.Director = basicAuthDirector(proxy.Director)