Fix health check url

health check url should depend on internal https

Signed-off-by: DQ <dengq@vmware.com>

make/photon/chartserver/Dockerfile

@@ -20,4 +20,4 @@ ENTRYPOINT ["./docker-entrypoint.sh"]
 VOLUME ["/chart_storage"]
 EXPOSE 9999
 
-HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:9999/health || exit 1
+HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS http://127.0.0.1:9999/health || curl -k -sS https://127.0.0.1:9443/health || exit 1

make/photon/clair-adapter/Dockerfile

@@ -12,7 +12,7 @@ RUN chown -R clair-adapter:clair-adapter /etc/pki/tls/certs \
 
 EXPOSE 8080
 
-HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:8080/probe/healthy || exit 1
+HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS http://127.0.0.1:8080/probe/healthy || curl -k -sS https://127.0.0.1:8443/probe/healthy || exit 1
 
 USER clair-adapter
 

make/photon/core/Dockerfile

@@ -1,7 +1,7 @@
 ARG harbor_base_image_version
 FROM goharbor/harbor-core-base:${harbor_base_image_version}
 
-HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v2.0/ping || exit 1
+HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v2.0/ping || curl -k --fail -s https://127.0.0.1:8443/api/v2.0/ping || exit 1
 COPY ./make/photon/common/install_cert.sh /harbor/
 COPY ./make/photon/core/entrypoint.sh /harbor/
 COPY ./make/photon/core/harbor_core /harbor/

make/photon/jobservice/Dockerfile

@@ -17,6 +17,6 @@ USER harbor
 
 VOLUME ["/var/log/jobs/"]
 
-HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v1/stats || exit 1
+HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v1/stats || curl -k --fail -s https://127.0.0.1:8443/api/v1/stats || exit 1
 
 ENTRYPOINT ["/harbor/entrypoint.sh"]

make/photon/prepare/scripts/gencert.sh

@@ -22,202 +22,118 @@ else
 fi
 
 # generate proxy key and csr
-cat <<END > proxy.cnf
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = proxy
-DNS.2 = localhost
-IP.1 = 127.0.0.1
-END
 openssl req -new -newkey rsa:4096 -nodes -sha256 \
         -keyout proxy.key \
         -out proxy.csr \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=proxy"
 
 # Sign proxy
-openssl x509 -req -days $DAYS -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile proxy.cnf -out proxy.crt
+openssl x509 -req -days $DAYS -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out proxy.crt
 
 
 # generate core key and csr
-cat <<END > core.cnf
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = core
-DNS.2 = localhost
-IP.1 = 127.0.0.1
-END
 openssl req -new \
         -newkey rsa:4096 -nodes -sha256 -keyout core.key \
         -out core.csr \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=core"
 
 # Sign core csr with CA certificate and key
-openssl x509 -req -days $DAYS -sha256 -in core.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile core.cnf -out core.crt
+openssl x509 -req -days $DAYS -sha256 -in core.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out core.crt
 
 
 # job_service key
-cat <<END > job_service.cnf
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = jobservice
-DNS.2 = localhost
-IP.1 = 127.0.0.1
-END
 openssl req -new \
         -newkey rsa:4096 -nodes -sha256 -keyout job_service.key \
         -out job_service.csr \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=jobservice"
 
 # sign job_service csr with CA certificate and key
-openssl x509 -req -days $DAYS -sha256 -in job_service.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile job_service.cnf -out job_service.crt
+openssl x509 -req -days $DAYS -sha256 -in job_service.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out job_service.crt
 
 # generate registry key
-cat <<END > registry.cnf
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = registry
-DNS.2 = localhost
-IP.1 = 127.0.0.1
-END
 openssl req -new \
         -newkey rsa:4096 -nodes -sha256 -keyout registry.key \
         -out registry.csr \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registry"
 
 # sign registry csr with CA certificate and key
-openssl x509 -req -days $DAYS -sha256 -in registry.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile registry.cnf -out registry.crt
+openssl x509 -req -days $DAYS -sha256 -in registry.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registry.crt
 
 # generate registryctl key
-cat <<END > registryctl.cnf
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = registryctl
-DNS.2 = localhost
-IP.1 = 127.0.0.1
-END
 openssl req -new \
         -newkey rsa:4096 -nodes -sha256 -keyout registryctl.key \
         -out registryctl.csr \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registryctl"
 
 # sign registryctl csr with CA certificate and key
-openssl x509 -req -days $DAYS -sha256 -in registryctl.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile registryctl.cnf -out registryctl.crt
+openssl x509 -req -days $DAYS -sha256 -in registryctl.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registryctl.crt
 
 
 
 # generate clair_adapter key
-cat <<END > clair_adapter.cnf
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = clair-adapter
-DNS.2 = localhost
-IP.1 = 127.0.0.1
-END
 openssl req -new \
         -newkey rsa:4096 -nodes -sha256 -keyout clair_adapter.key \
         -out clair_adapter.csr \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair-adapter"
 
 # sign clair_adapter csr with CA certificate and key
-openssl x509 -req -days $DAYS -sha256 -in clair_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile clair_adapter.cnf -out clair_adapter.crt
+openssl x509 -req -days $DAYS -sha256 -in clair_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair_adapter.crt
 
 
 # generate clair key
-cat <<END > clair.cnf
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = clair
-DNS.2 = localhost
-IP.1 = 127.0.0.1
-END
 openssl req -new \
         -newkey rsa:4096 -nodes -sha256 -keyout clair.key \
         -out clair.csr \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair"
 
 # sign clair csr with CA certificate and key
-openssl x509 -req -days $DAYS -sha256 -in clair.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile clair.cnf -out clair.crt
+openssl x509 -req -days $DAYS -sha256 -in clair.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair.crt
 
 
 # generate trivy_adapter key
-cat <<END > trivy_adapter.cnf
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = trivy-adapter
-DNS.2 = localhost
-IP.1 = 127.0.0.1
-END
 openssl req -new \
         -newkey rsa:4096 -nodes -sha256 -keyout trivy_adapter.key \
         -out trivy_adapter.csr \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=trivy-adapter"
 
 # sign trivy_adapter csr with CA certificate and key
-openssl x509 -req -days $DAYS -sha256 -in trivy_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile trivy_adapter.cnf -out trivy_adapter.crt
+openssl x509 -req -days $DAYS -sha256 -in trivy_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out trivy_adapter.crt
 
 
 # generate notary_signer key
-cat <<END > notary_signer.cnf
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = notary-signer
-DNS.2 = localhost
-IP.1 = 127.0.0.1
-END
 openssl req -new \
         -newkey rsa:4096 -nodes -sha256 -keyout notary_signer.key \
         -out notary_signer.csr \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary-signer"
 
 # sign notary_signer csr with CA certificate and key
-openssl x509 -req -days $DAYS -sha256 -in notary_signer.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile notary_signer.cnf -out notary_signer.crt
+openssl x509 -req -days $DAYS -sha256 -in notary_signer.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_signer.crt
 
 # generate notary_server key
-cat <<END > notary_server.cnf
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = notary-server
-DNS.2 = localhost
-IP.1 = 127.0.0.1
-END
 openssl req -new \
         -newkey rsa:4096 -nodes -sha256 -keyout notary_server.key \
         -out notary_server.csr \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary-server"
 
 # sign notary_server csr with CA certificate and key
-openssl x509 -req -days $DAYS -sha256 -in notary_server.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile notary_server.cnf -out notary_server.crt
+openssl x509 -req -days $DAYS -sha256 -in notary_server.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_server.crt
 
 
 # generate chartmuseum key
-cat <<END > chartmuseum.cnf
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = chartmuseum
-DNS.2 = localhost
-IP.1 = 127.0.0.1
-END
 openssl req -new \
         -newkey rsa:4096 -nodes -sha256 -keyout chartmuseum.key \
         -out chartmuseum.csr \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=chartmuseum"
 
 # sign chartmuseum csr with CA certificate and key
-openssl x509 -req -days $DAYS -sha256 -in chartmuseum.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile chartmuseum.cnf -out chartmuseum.crt
+openssl x509 -req -days $DAYS -sha256 -in chartmuseum.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out chartmuseum.crt
 
 
 # generate harbor_db key
-cat <<END > harbor_db.cnf
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = harbor_db
-DNS.2 = localhost
-IP.1 = 127.0.0.1
-END
 openssl req -new \
         -newkey rsa:4096 -nodes -sha256 -keyout harbor_db.key \
         -out harbor_db.csr \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=harbor_db"
 
 # sign harbor_db csr with CA certificate and key
-openssl x509 -req -days $DAYS -sha256 -in harbor_db.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile harbor_db.cnf -out harbor_db.crt
+openssl x509 -req -days $DAYS -sha256 -in harbor_db.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out harbor_db.crt

make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja

@@ -598,7 +598,7 @@ services:
 {%if internal_tls.enabled %}
       - type: bind
         source: {{internal_tls.harbor_internal_ca_crt_path}}
-        target: /etc/harbor/ssl/harbor_internal_ca.crt
+        target: /harbor_cust_cert/harbor_internal_ca.crt
       - type: bind
         source: {{internal_tls.chartmuseum_crt_path}}
         target: /etc/harbor/ssl/chartmuseum.crt

make/photon/registry/Dockerfile

@@ -10,7 +10,7 @@ RUN chown -R harbor:harbor /etc/pki/tls/certs \
     && chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh \
     && chown harbor:harbor /usr/bin/registry && chmod u+x /usr/bin/registry
 
-HEALTHCHECK CMD curl 127.0.0.1:5000/
+HEALTHCHECK CMD curl --fail -s http://127.0.0.1:5000 || curl -k --fail -s https://127.0.0.1:5443 || exit 1
 
 USER harbor
 

make/photon/registryctl/Dockerfile

@@ -13,7 +13,7 @@ RUN chown -R harbor:harbor /etc/pki/tls/certs \
     && chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh
 
 
-HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/health || exit 1
+HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/health || curl -k --fail -s https://127.0.0.1:8443/api/health || exit 1
 
 VOLUME ["/var/lib/registry"]
 

make/photon/trivy-adapter/Dockerfile

@@ -3,15 +3,24 @@ FROM goharbor/harbor-trivy-adapter-base:${harbor_base_image_version}
 
 ARG trivy_version
 
+COPY ./make/photon/common/install_cert.sh /home/scanner
+COPY ./make/photon/trivy-adapter/entrypoint.sh /home/scanner
 COPY ./make/photon/trivy-adapter/binary/trivy /usr/local/bin/trivy
 COPY ./make/photon/trivy-adapter/binary/scanner-trivy /home/scanner/bin/scanner-trivy
 
+
+RUN chown -R scanner:scanner /etc/pki/tls/certs \
+    && chown scanner:scanner /home/scanner/entrypoint.sh && chmod u+x /home/scanner/entrypoint.sh \
+    && chown scanner:scanner /usr/local/bin/trivy && chmod u+x /usr/local/bin/trivy \
+    && chown scanner:scanner /home/scanner/bin/scanner-trivy && chmod u+x /home/scanner/bin/scanner-trivy \
+    && chown scanner:scanner /home/scanner/install_cert.sh && chmod u+x /home/scanner/install_cert.sh
+
 EXPOSE 8080
 
-HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:8080/probe/healthy || exit 1
+HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl --fail -s http://127.0.0.1:8080/probe/healthy || curl -k --fail -s https://127.0.0.1:8443/probe/healthy || exit 1
 
 ENV TRIVY_VERSION=${trivy_version}
 
 USER scanner
 
-ENTRYPOINT ["/home/scanner/bin/scanner-trivy"]
+ENTRYPOINT ["/home/scanner/entrypoint.sh"]