Expose ssl_protocols from nginx configuration in harbor.yml

Signed-off-by: malmor <62105800+malmor@users.noreply.github.com>

make/harbor.yml.tmpl

@@ -16,6 +16,8 @@ https:
   # The path of cert and key files for nginx
   certificate: /your/certificate/path
   private_key: /your/private/key/path
+  # configure ssl protocols (default: TLSv1.2 TLSv1.3)
+  # ssl_protocols: TLSv1.2 TLSv1.3
   # enable strong ssl ciphers (default: false)
   # strong_ssl_ciphers: false
 
@@ -206,7 +208,7 @@ _version: 2.11.0
 #   # host for redis+sentinel:
 #   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
 #   host: redis:6379
-#   password: 
+#   password:
 #   # Redis AUTH command was extended in Redis 6, it is possible to use it in the two-arguments AUTH <username> <password> form.
 #   # there's a known issue when using external redis username ref:https://github.com/goharbor/harbor/issues/18892
 #   # if you care about the image pull/push performance, please refer to this https://github.com/goharbor/harbor/wiki/Harbor-FAQs#external-redis-username-password-usage

make/photon/prepare/templates/nginx/nginx.https.conf.jinja

@@ -63,7 +63,11 @@ http {
     ssl_certificate_key {{ssl_cert_key}};
 
     # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+{% if ssl_protocols is defined %}
+    ssl_protocols {{ssl_protocols}};
+{% else %}
     ssl_protocols TLSv1.2 TLSv1.3;
+{% endif %}
 {% if strong_ssl_ciphers %}
     ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
 {% else %}

make/photon/prepare/templates/portal/nginx.conf.jinja

@@ -27,7 +27,11 @@ http {
         ssl_certificate /etc/harbor/tls/portal.crt;
         ssl_certificate_key /etc/harbor/tls/portal.key;
 
+    {% if ssl_protocols is defined %}
+        ssl_protocols {{ssl_protocols}};
+    {% else %}
         ssl_protocols TLSv1.2 TLSv1.3;
+    {% endif %}
     {% if strong_ssl_ciphers %}
         ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
     {% else %}

make/photon/prepare/utils/configs.py

@@ -299,11 +299,16 @@ def parse_yaml_config(config_file_path, with_trivy):
             external_database=config_dict['external_database'])
     else:
         config_dict['internal_tls'] = InternalTLS()
+
+    # ssl_protocols config
+    if https_config:
+        config_dict['ssl_protocols'] = https_config.get('ssl_protocols')
+
     # the configure item apply to internal and external tls communication
     # for compatibility, user could configure the strong_ssl_ciphers either in https section or under internal_tls section,
     # but it is more reasonable to configure it in https_config
     if https_config:
-        config_dict['strong_ssl_ciphers'] = https_config.get('strong_ssl_ciphers') 
+        config_dict['strong_ssl_ciphers'] = https_config.get('strong_ssl_ciphers')
     else:
         config_dict['strong_ssl_ciphers'] = False
 

make/photon/prepare/utils/nginx.py

@@ -64,6 +64,7 @@ def render_nginx_template(config_dict):
             ssl_cert_key=SSL_CERT_KEY_PATH,
             internal_tls=config_dict['internal_tls'],
             metric=config_dict['metric'],
+            ssl_protocols=config_dict['ssl_protocols'],
             strong_ssl_ciphers=config_dict['strong_ssl_ciphers'],
             ip_family=config_dict['ip_family'])
         location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS

make/photon/prepare/utils/portal.py

@@ -17,5 +17,6 @@ def prepare_portal(config_dict):
         ip_family=config_dict['ip_family'],
         uid=DEFAULT_UID,
         gid=DEFAULT_GID,
+        ssl_protocols=config_dict['ssl_protocols'],
         strong_ssl_ciphers=config_dict['strong_ssl_ciphers']
         )