diff --git a/Deploy/harbor.cfg b/Deploy/harbor.cfg index 7cd7548eb..e1acfa6aa 100644 --- a/Deploy/harbor.cfg +++ b/Deploy/harbor.cfg @@ -38,6 +38,10 @@ self_registration = on #Number of job workers in job service, default is 3 max_job_workers = 3 +#Toggle on and off to tell job service wheter or not verify the ssl cert +#when it tries to access a remote registry +verify_remote_cert = on + #Turn on or off the customize your certificate for registry's token. #If the value is on, the prepare script will generate new root cert and private key #for generating token to access the image in registry. diff --git a/Deploy/prepare b/Deploy/prepare index d0afc365c..d861f58e3 100755 --- a/Deploy/prepare +++ b/Deploy/prepare @@ -47,6 +47,7 @@ crt_organizationalunit = rcp.get("configuration", "crt_organizationalunit") crt_commonname = rcp.get("configuration", "crt_commonname") crt_email = rcp.get("configuration", "crt_email") max_job_workers = rcp.get("configuration", "max_job_workers") +verify_remote_cert = rcp.get("configuration", "verify_remote_cert") ######## ui_secret = ''.join(random.choice(string.ascii_letters+string.digits) for i in range(16)) @@ -122,7 +123,8 @@ render(os.path.join(templates_dir, "jobservice", "env"), db_password=db_password, ui_secret=ui_secret, max_job_workers=max_job_workers, - ui_url=ui_url) + ui_url=ui_url, + verify_remote_cert=verify_remote_cert) def validate_crt_subj(dirty_subj): subj_list = [item for item in dirty_subj.strip().split("/") \ diff --git a/Deploy/templates/jobservice/env b/Deploy/templates/jobservice/env index 079cc3670..beb75a11d 100644 --- a/Deploy/templates/jobservice/env +++ b/Deploy/templates/jobservice/env @@ -3,7 +3,10 @@ MYSQL_PORT=3306 MYSQL_USR=root MYSQL_PWD=$db_password UI_SECRET=$ui_secret -HARBOR_URL=$ui_url +REGISTRY_URL=http://registry:5000 +VERIFY_REMOTE_CERT=$verify_remote_cert MAX_JOB_WORKERS=$max_job_workers LOG_LEVEL=debug GODEBUG=netdns=cgo +EXT_ENDPOINT=$ui_url +TOKEN_URL=http://ui diff --git a/Deploy/templates/ui/env b/Deploy/templates/ui/env index de50c4a76..5098fa1a7 100644 --- a/Deploy/templates/ui/env +++ b/Deploy/templates/ui/env @@ -3,10 +3,11 @@ MYSQL_PORT=3306 MYSQL_USR=root MYSQL_PWD=$db_password REGISTRY_URL=http://registry:5000 +UI_URL=http://ui CONFIG_PATH=/etc/ui/app.conf HARBOR_REG_URL=$hostname HARBOR_ADMIN_PASSWORD=$harbor_admin_password -HARBOR_URL=$hostname +HARBOR_URL=$ui_url AUTH_MODE=$auth_mode LDAP_URL=$ldap_url LDAP_BASE_DN=$ldap_basedn @@ -14,3 +15,5 @@ UI_SECRET=$ui_secret SELF_REGISTRATION=$self_registration LOG_LEVEL=debug GODEBUG=netdns=cgo +EXT_ENDPOINT=$ui_url +TOKEN_URL=http://ui diff --git a/api/jobs/replication.go b/api/jobs/replication.go index d62d4e4fe..0dee3765b 100644 --- a/api/jobs/replication.go +++ b/api/jobs/replication.go @@ -1,16 +1,16 @@ /* - Copyright (c) 2016 VMware, Inc. All Rights Reserved. - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. + Copyright (c) 2016 VMware, Inc. All Rights Reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. */ package api @@ -165,7 +165,7 @@ func getRepoList(projectID int64) ([]string, error) { uiPwd = "Harbor12345" } */ - uiURL := config.LocalHarborURL() + uiURL := config.LocalUIURL() client := &http.Client{} req, err := http.NewRequest("GET", uiURL+"/api/repositories?project_id="+strconv.Itoa(int(projectID)), nil) if err != nil { diff --git a/job/config/config.go b/job/config/config.go index fb5d86fbd..c48e04aef 100644 --- a/job/config/config.go +++ b/job/config/config.go @@ -1,16 +1,16 @@ /* - Copyright (c) 2016 VMware, Inc. All Rights Reserved. - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. + Copyright (c) 2016 VMware, Inc. All Rights Reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. */ package config @@ -26,9 +26,11 @@ import ( const defaultMaxWorkers int = 10 var maxJobWorkers int -var localURL string +var localUIURL string +var localRegURL string var logDir string var uiSecret string +var verifyRemoteCert string func init() { maxWorkersEnv := os.Getenv("MAX_JOB_WORKERS") @@ -39,9 +41,14 @@ func init() { maxJobWorkers = defaultMaxWorkers } - localURL = os.Getenv("HARBOR_URL") - if len(localURL) == 0 { - localURL = "http://registry:5000/" + localRegURL = os.Getenv("REGISTRY_URL") + if len(localRegURL) == 0 { + localRegURL = "http://registry:5000" + } + + localUIURL = os.Getenv("UI_URL") + if len(localUIURL) == 0 { + localUIURL = "http://ui" } logDir = os.Getenv("LOG_DIR") @@ -67,8 +74,15 @@ func init() { panic("UI Secret is not set") } + verifyRemoteCert = os.Getenv("VERIFY_REMOTE_CERT") + if len(verifyRemoteCert) == 0 { + verifyRemoteCert = "on" + } + log.Debugf("config: maxJobWorkers: %d", maxJobWorkers) - log.Debugf("config: localHarborURL: %s", localURL) + log.Debugf("config: localUIURL: %s", localUIURL) + log.Debugf("config: localRegURL: %s", localRegURL) + log.Debugf("config: verifyRemoteCert: %s", verifyRemoteCert) log.Debugf("config: logDir: %s", logDir) log.Debugf("config: uiSecret: ******") } @@ -78,9 +92,14 @@ func MaxJobWorkers() int { return maxJobWorkers } -// LocalHarborURL returns the local registry url, job service will use this URL to pull manifest and repository. -func LocalHarborURL() string { - return localURL +// LocaUIURL returns the local ui url, job service will use this URL to call API hosted on ui process +func LocalUIURL() string { + return localUIURL +} + +// LocalRegURL returns the local registry url, job service will use this URL to pull image from the registry +func LocalRegURL() string { + return localRegURL } // LogDir returns the absolute path to which the log file will be written @@ -92,3 +111,8 @@ func LogDir() string { func UISecret() string { return uiSecret } + +// VerifyRemoteCert return the flag to tell jobservice whether or not verify the cert of remote registry +func VerifyRemoteCert() bool { + return verifyRemoteCert != "off" +} diff --git a/job/statemachine.go b/job/statemachine.go index 94c892a70..5fc3a9cc4 100644 --- a/job/statemachine.go +++ b/job/statemachine.go @@ -1,16 +1,16 @@ /* - Copyright (c) 2016 VMware, Inc. All Rights Reserved. - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. + Copyright (c) 2016 VMware, Inc. All Rights Reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. */ package job @@ -38,6 +38,7 @@ type RepJobParm struct { Tags []string Enabled int Operation string + Insecure bool } // SM is the state machine to handle job, it handles one job at a time. @@ -205,11 +206,12 @@ func (sm *SM) Reset(jid int64) error { return fmt.Errorf("The policy doesn't exist in DB, policy id:%d", job.PolicyID) } sm.Parms = &RepJobParm{ - LocalRegURL: config.LocalHarborURL(), + LocalRegURL: config.LocalRegURL(), Repository: job.Repository, Tags: job.TagList, Enabled: policy.Enabled, Operation: job.Operation, + Insecure: !config.VerifyRemoteCert(), } if policy.Enabled == 0 { //worker will cancel this job