Fix health check url

health check url should depend on internal https

Signed-off-by: DQ <dengq@vmware.com>
This commit is contained in:
DQ 2020-04-04 17:43:12 +00:00
parent cdb675bf3d
commit 4a836ea975
9 changed files with 32 additions and 107 deletions

View File

@ -20,4 +20,4 @@ ENTRYPOINT ["./docker-entrypoint.sh"]
VOLUME ["/chart_storage"] VOLUME ["/chart_storage"]
EXPOSE 9999 EXPOSE 9999
HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:9999/health || exit 1 HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS http://127.0.0.1:9999/health || curl -k -sS https://127.0.0.1:9443/health || exit 1

View File

@ -12,7 +12,7 @@ RUN chown -R clair-adapter:clair-adapter /etc/pki/tls/certs \
EXPOSE 8080 EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:8080/probe/healthy || exit 1 HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS http://127.0.0.1:8080/probe/healthy || curl -k -sS https://127.0.0.1:8443/probe/healthy || exit 1
USER clair-adapter USER clair-adapter

View File

@ -1,7 +1,7 @@
ARG harbor_base_image_version ARG harbor_base_image_version
FROM goharbor/harbor-core-base:${harbor_base_image_version} FROM goharbor/harbor-core-base:${harbor_base_image_version}
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v2.0/ping || exit 1 HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v2.0/ping || curl -k --fail -s https://127.0.0.1:8443/api/v2.0/ping || exit 1
COPY ./make/photon/common/install_cert.sh /harbor/ COPY ./make/photon/common/install_cert.sh /harbor/
COPY ./make/photon/core/entrypoint.sh /harbor/ COPY ./make/photon/core/entrypoint.sh /harbor/
COPY ./make/photon/core/harbor_core /harbor/ COPY ./make/photon/core/harbor_core /harbor/

View File

@ -17,6 +17,6 @@ USER harbor
VOLUME ["/var/log/jobs/"] VOLUME ["/var/log/jobs/"]
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v1/stats || exit 1 HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v1/stats || curl -k --fail -s https://127.0.0.1:8443/api/v1/stats || exit 1
ENTRYPOINT ["/harbor/entrypoint.sh"] ENTRYPOINT ["/harbor/entrypoint.sh"]

View File

@ -22,202 +22,118 @@ else
fi fi
# generate proxy key and csr # generate proxy key and csr
cat <<END > proxy.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = proxy
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new -newkey rsa:4096 -nodes -sha256 \ openssl req -new -newkey rsa:4096 -nodes -sha256 \
-keyout proxy.key \ -keyout proxy.key \
-out proxy.csr \ -out proxy.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=proxy" -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=proxy"
# Sign proxy # Sign proxy
openssl x509 -req -days $DAYS -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile proxy.cnf -out proxy.crt openssl x509 -req -days $DAYS -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out proxy.crt
# generate core key and csr # generate core key and csr
cat <<END > core.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = core
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \ openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout core.key \ -newkey rsa:4096 -nodes -sha256 -keyout core.key \
-out core.csr \ -out core.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=core" -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=core"
# Sign core csr with CA certificate and key # Sign core csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in core.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile core.cnf -out core.crt openssl x509 -req -days $DAYS -sha256 -in core.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out core.crt
# job_service key # job_service key
cat <<END > job_service.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = jobservice
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \ openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout job_service.key \ -newkey rsa:4096 -nodes -sha256 -keyout job_service.key \
-out job_service.csr \ -out job_service.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=jobservice" -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=jobservice"
# sign job_service csr with CA certificate and key # sign job_service csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in job_service.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile job_service.cnf -out job_service.crt openssl x509 -req -days $DAYS -sha256 -in job_service.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out job_service.crt
# generate registry key # generate registry key
cat <<END > registry.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = registry
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \ openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout registry.key \ -newkey rsa:4096 -nodes -sha256 -keyout registry.key \
-out registry.csr \ -out registry.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registry" -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registry"
# sign registry csr with CA certificate and key # sign registry csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in registry.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile registry.cnf -out registry.crt openssl x509 -req -days $DAYS -sha256 -in registry.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registry.crt
# generate registryctl key # generate registryctl key
cat <<END > registryctl.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = registryctl
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \ openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout registryctl.key \ -newkey rsa:4096 -nodes -sha256 -keyout registryctl.key \
-out registryctl.csr \ -out registryctl.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registryctl" -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registryctl"
# sign registryctl csr with CA certificate and key # sign registryctl csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in registryctl.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile registryctl.cnf -out registryctl.crt openssl x509 -req -days $DAYS -sha256 -in registryctl.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registryctl.crt
# generate clair_adapter key # generate clair_adapter key
cat <<END > clair_adapter.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = clair-adapter
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \ openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout clair_adapter.key \ -newkey rsa:4096 -nodes -sha256 -keyout clair_adapter.key \
-out clair_adapter.csr \ -out clair_adapter.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair-adapter" -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair-adapter"
# sign clair_adapter csr with CA certificate and key # sign clair_adapter csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in clair_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile clair_adapter.cnf -out clair_adapter.crt openssl x509 -req -days $DAYS -sha256 -in clair_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair_adapter.crt
# generate clair key # generate clair key
cat <<END > clair.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = clair
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \ openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout clair.key \ -newkey rsa:4096 -nodes -sha256 -keyout clair.key \
-out clair.csr \ -out clair.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair" -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair"
# sign clair csr with CA certificate and key # sign clair csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in clair.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile clair.cnf -out clair.crt openssl x509 -req -days $DAYS -sha256 -in clair.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair.crt
# generate trivy_adapter key # generate trivy_adapter key
cat <<END > trivy_adapter.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = trivy-adapter
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \ openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout trivy_adapter.key \ -newkey rsa:4096 -nodes -sha256 -keyout trivy_adapter.key \
-out trivy_adapter.csr \ -out trivy_adapter.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=trivy-adapter" -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=trivy-adapter"
# sign trivy_adapter csr with CA certificate and key # sign trivy_adapter csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in trivy_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile trivy_adapter.cnf -out trivy_adapter.crt openssl x509 -req -days $DAYS -sha256 -in trivy_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out trivy_adapter.crt
# generate notary_signer key # generate notary_signer key
cat <<END > notary_signer.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = notary-signer
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \ openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout notary_signer.key \ -newkey rsa:4096 -nodes -sha256 -keyout notary_signer.key \
-out notary_signer.csr \ -out notary_signer.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary-signer" -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary-signer"
# sign notary_signer csr with CA certificate and key # sign notary_signer csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in notary_signer.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile notary_signer.cnf -out notary_signer.crt openssl x509 -req -days $DAYS -sha256 -in notary_signer.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_signer.crt
# generate notary_server key # generate notary_server key
cat <<END > notary_server.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = notary-server
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \ openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout notary_server.key \ -newkey rsa:4096 -nodes -sha256 -keyout notary_server.key \
-out notary_server.csr \ -out notary_server.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary-server" -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary-server"
# sign notary_server csr with CA certificate and key # sign notary_server csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in notary_server.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile notary_server.cnf -out notary_server.crt openssl x509 -req -days $DAYS -sha256 -in notary_server.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_server.crt
# generate chartmuseum key # generate chartmuseum key
cat <<END > chartmuseum.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = chartmuseum
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \ openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout chartmuseum.key \ -newkey rsa:4096 -nodes -sha256 -keyout chartmuseum.key \
-out chartmuseum.csr \ -out chartmuseum.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=chartmuseum" -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=chartmuseum"
# sign chartmuseum csr with CA certificate and key # sign chartmuseum csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in chartmuseum.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile chartmuseum.cnf -out chartmuseum.crt openssl x509 -req -days $DAYS -sha256 -in chartmuseum.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out chartmuseum.crt
# generate harbor_db key # generate harbor_db key
cat <<END > harbor_db.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = harbor_db
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \ openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout harbor_db.key \ -newkey rsa:4096 -nodes -sha256 -keyout harbor_db.key \
-out harbor_db.csr \ -out harbor_db.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=harbor_db" -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=harbor_db"
# sign harbor_db csr with CA certificate and key # sign harbor_db csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in harbor_db.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile harbor_db.cnf -out harbor_db.crt openssl x509 -req -days $DAYS -sha256 -in harbor_db.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out harbor_db.crt

View File

@ -598,7 +598,7 @@ services:
{%if internal_tls.enabled %} {%if internal_tls.enabled %}
- type: bind - type: bind
source: {{internal_tls.harbor_internal_ca_crt_path}} source: {{internal_tls.harbor_internal_ca_crt_path}}
target: /etc/harbor/ssl/harbor_internal_ca.crt target: /harbor_cust_cert/harbor_internal_ca.crt
- type: bind - type: bind
source: {{internal_tls.chartmuseum_crt_path}} source: {{internal_tls.chartmuseum_crt_path}}
target: /etc/harbor/ssl/chartmuseum.crt target: /etc/harbor/ssl/chartmuseum.crt

View File

@ -10,7 +10,7 @@ RUN chown -R harbor:harbor /etc/pki/tls/certs \
&& chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh \ && chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh \
&& chown harbor:harbor /usr/bin/registry && chmod u+x /usr/bin/registry && chown harbor:harbor /usr/bin/registry && chmod u+x /usr/bin/registry
HEALTHCHECK CMD curl 127.0.0.1:5000/ HEALTHCHECK CMD curl --fail -s http://127.0.0.1:5000 || curl -k --fail -s https://127.0.0.1:5443 || exit 1
USER harbor USER harbor

View File

@ -13,7 +13,7 @@ RUN chown -R harbor:harbor /etc/pki/tls/certs \
&& chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh && chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/health || exit 1 HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/health || curl -k --fail -s https://127.0.0.1:8443/api/health || exit 1
VOLUME ["/var/lib/registry"] VOLUME ["/var/lib/registry"]

View File

@ -3,15 +3,24 @@ FROM goharbor/harbor-trivy-adapter-base:${harbor_base_image_version}
ARG trivy_version ARG trivy_version
COPY ./make/photon/common/install_cert.sh /home/scanner
COPY ./make/photon/trivy-adapter/entrypoint.sh /home/scanner
COPY ./make/photon/trivy-adapter/binary/trivy /usr/local/bin/trivy COPY ./make/photon/trivy-adapter/binary/trivy /usr/local/bin/trivy
COPY ./make/photon/trivy-adapter/binary/scanner-trivy /home/scanner/bin/scanner-trivy COPY ./make/photon/trivy-adapter/binary/scanner-trivy /home/scanner/bin/scanner-trivy
RUN chown -R scanner:scanner /etc/pki/tls/certs \
&& chown scanner:scanner /home/scanner/entrypoint.sh && chmod u+x /home/scanner/entrypoint.sh \
&& chown scanner:scanner /usr/local/bin/trivy && chmod u+x /usr/local/bin/trivy \
&& chown scanner:scanner /home/scanner/bin/scanner-trivy && chmod u+x /home/scanner/bin/scanner-trivy \
&& chown scanner:scanner /home/scanner/install_cert.sh && chmod u+x /home/scanner/install_cert.sh
EXPOSE 8080 EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:8080/probe/healthy || exit 1 HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl --fail -s http://127.0.0.1:8080/probe/healthy || curl -k --fail -s https://127.0.0.1:8443/probe/healthy || exit 1
ENV TRIVY_VERSION=${trivy_version} ENV TRIVY_VERSION=${trivy_version}
USER scanner USER scanner
ENTRYPOINT ["/home/scanner/bin/scanner-trivy"] ENTRYPOINT ["/home/scanner/entrypoint.sh"]