Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2025-01-03 06:28:06 +01:00
Code Issues Projects Releases Wiki Activity

Fix health check url

Browse Source 
health check url should depend on internal https

Signed-off-by: DQ <dengq@vmware.com>
This commit is contained in:
DQ 2020-04-04 17:43:12 +00:00
parent cdb675bf3d
commit 4a836ea975
9 changed files with 32 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
make/photon/chartserver/Dockerfile
View File

@ -20,4 +20,4 @@ ENTRYPOINT ["./docker-entrypoint.sh"]
VOLUME ["/chart_storage"]
EXPOSE 9999
HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:9999/health || exit 1
HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS http://127.0.0.1:9999/health || curl -k -sS https://127.0.0.1:9443/health || exit 1

2
make/photon/clair-adapter/Dockerfile
View File

@ -12,7 +12,7 @@ RUN chown -R clair-adapter:clair-adapter /etc/pki/tls/certs \
EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:8080/probe/healthy || exit 1
HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS http://127.0.0.1:8080/probe/healthy || curl -k -sS https://127.0.0.1:8443/probe/healthy || exit 1
USER clair-adapter

2
make/photon/core/Dockerfile
View File

@ -1,7 +1,7 @@
ARG harbor_base_image_version
FROM goharbor/harbor-core-base:${harbor_base_image_version}
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v2.0/ping || exit 1
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v2.0/ping || curl -k --fail -s https://127.0.0.1:8443/api/v2.0/ping || exit 1
COPY ./make/photon/common/install_cert.sh /harbor/
COPY ./make/photon/core/entrypoint.sh /harbor/
COPY ./make/photon/core/harbor_core /harbor/

2
make/photon/jobservice/Dockerfile
View File

@ -17,6 +17,6 @@ USER harbor
VOLUME ["/var/log/jobs/"]
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v1/stats || exit 1
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v1/stats || curl -k --fail -s https://127.0.0.1:8443/api/v1/stats || exit 1
ENTRYPOINT ["/harbor/entrypoint.sh"]

108
make/photon/prepare/scripts/gencert.sh
View File

@ -22,202 +22,118 @@ else
fi
# generate proxy key and csr
cat <<END > proxy.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = proxy
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new -newkey rsa:4096 -nodes -sha256 \
-keyout proxy.key \
-out proxy.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=proxy"
# Sign proxy
openssl x509 -req -days $DAYS -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile proxy.cnf -out proxy.crt
openssl x509 -req -days $DAYS -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out proxy.crt
# generate core key and csr
cat <<END > core.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = core
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout core.key \
-out core.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=core"
# Sign core csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in core.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile core.cnf -out core.crt
openssl x509 -req -days $DAYS -sha256 -in core.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out core.crt
# job_service key
cat <<END > job_service.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = jobservice
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout job_service.key \
-out job_service.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=jobservice"
# sign job_service csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in job_service.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile job_service.cnf -out job_service.crt
openssl x509 -req -days $DAYS -sha256 -in job_service.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out job_service.crt
# generate registry key
cat <<END > registry.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = registry
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout registry.key \
-out registry.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registry"
# sign registry csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in registry.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile registry.cnf -out registry.crt
openssl x509 -req -days $DAYS -sha256 -in registry.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registry.crt
# generate registryctl key
cat <<END > registryctl.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = registryctl
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout registryctl.key \
-out registryctl.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registryctl"
# sign registryctl csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in registryctl.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile registryctl.cnf -out registryctl.crt
openssl x509 -req -days $DAYS -sha256 -in registryctl.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registryctl.crt
# generate clair_adapter key
cat <<END > clair_adapter.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = clair-adapter
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout clair_adapter.key \
-out clair_adapter.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair-adapter"
# sign clair_adapter csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in clair_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile clair_adapter.cnf -out clair_adapter.crt
openssl x509 -req -days $DAYS -sha256 -in clair_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair_adapter.crt
# generate clair key
cat <<END > clair.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = clair
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout clair.key \
-out clair.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair"
# sign clair csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in clair.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile clair.cnf -out clair.crt
openssl x509 -req -days $DAYS -sha256 -in clair.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair.crt
# generate trivy_adapter key
cat <<END > trivy_adapter.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = trivy-adapter
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout trivy_adapter.key \
-out trivy_adapter.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=trivy-adapter"
# sign trivy_adapter csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in trivy_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile trivy_adapter.cnf -out trivy_adapter.crt
openssl x509 -req -days $DAYS -sha256 -in trivy_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out trivy_adapter.crt
# generate notary_signer key
cat <<END > notary_signer.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = notary-signer
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout notary_signer.key \
-out notary_signer.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary-signer"
# sign notary_signer csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in notary_signer.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile notary_signer.cnf -out notary_signer.crt
openssl x509 -req -days $DAYS -sha256 -in notary_signer.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_signer.crt
# generate notary_server key
cat <<END > notary_server.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = notary-server
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout notary_server.key \
-out notary_server.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary-server"
# sign notary_server csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in notary_server.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile notary_server.cnf -out notary_server.crt
openssl x509 -req -days $DAYS -sha256 -in notary_server.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_server.crt
# generate chartmuseum key
cat <<END > chartmuseum.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = chartmuseum
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout chartmuseum.key \
-out chartmuseum.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=chartmuseum"
# sign chartmuseum csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in chartmuseum.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile chartmuseum.cnf -out chartmuseum.crt
openssl x509 -req -days $DAYS -sha256 -in chartmuseum.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out chartmuseum.crt
# generate harbor_db key
cat <<END > harbor_db.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = harbor_db
DNS.2 = localhost
IP.1 = 127.0.0.1
END
openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout harbor_db.key \
-out harbor_db.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=harbor_db"
# sign harbor_db csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in harbor_db.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -extfile harbor_db.cnf -out harbor_db.crt
openssl x509 -req -days $DAYS -sha256 -in harbor_db.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out harbor_db.crt

6
make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja
View File

@ -480,7 +480,7 @@ services:
{%if internal_tls.enabled %}
- type: bind
source: {{internal_tls.harbor_internal_ca_crt_path}}
target: /harbor_cust_cert/harbor_internal_ca.crt
target: /harbor_cust_cert/harbor_internal_ca.crt
- type: bind
source: {{internal_tls.clair_crt_path}}
target: /etc/harbor/ssl/clair.crt
@ -559,7 +559,7 @@ services:
volumes:
- type: bind
source: {{internal_tls.harbor_internal_ca_crt_path}}
target: /harbor_cust_cert/harbor_internal_ca.crt
target: /harbor_cust_cert/harbor_internal_ca.crt
- type: bind
source: {{internal_tls.trivy_adapter_crt_path}}
target: /etc/harbor/ssl/trivy_adapter.crt
@ -598,7 +598,7 @@ services:
{%if internal_tls.enabled %}
- type: bind
source: {{internal_tls.harbor_internal_ca_crt_path}}
target: /etc/harbor/ssl/harbor_internal_ca.crt
target: /harbor_cust_cert/harbor_internal_ca.crt
- type: bind
source: {{internal_tls.chartmuseum_crt_path}}
target: /etc/harbor/ssl/chartmuseum.crt

2
make/photon/registry/Dockerfile
View File

@ -10,7 +10,7 @@ RUN chown -R harbor:harbor /etc/pki/tls/certs \
&& chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh \
&& chown harbor:harbor /usr/bin/registry && chmod u+x /usr/bin/registry
HEALTHCHECK CMD curl 127.0.0.1:5000/
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:5000 || curl -k --fail -s https://127.0.0.1:5443 || exit 1
USER harbor

2
make/photon/registryctl/Dockerfile
View File

@ -13,7 +13,7 @@ RUN chown -R harbor:harbor /etc/pki/tls/certs \
&& chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/health || exit 1
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/health || curl -k --fail -s https://127.0.0.1:8443/api/health || exit 1
VOLUME ["/var/lib/registry"]

13
make/photon/trivy-adapter/Dockerfile
View File

@ -3,15 +3,24 @@ FROM goharbor/harbor-trivy-adapter-base:${harbor_base_image_version}
ARG trivy_version
COPY ./make/photon/common/install_cert.sh /home/scanner
COPY ./make/photon/trivy-adapter/entrypoint.sh /home/scanner
COPY ./make/photon/trivy-adapter/binary/trivy /usr/local/bin/trivy
COPY ./make/photon/trivy-adapter/binary/scanner-trivy /home/scanner/bin/scanner-trivy
RUN chown -R scanner:scanner /etc/pki/tls/certs \
&& chown scanner:scanner /home/scanner/entrypoint.sh && chmod u+x /home/scanner/entrypoint.sh \
&& chown scanner:scanner /usr/local/bin/trivy && chmod u+x /usr/local/bin/trivy \
&& chown scanner:scanner /home/scanner/bin/scanner-trivy && chmod u+x /home/scanner/bin/scanner-trivy \
&& chown scanner:scanner /home/scanner/install_cert.sh && chmod u+x /home/scanner/install_cert.sh
EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:8080/probe/healthy || exit 1
HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl --fail -s http://127.0.0.1:8080/probe/healthy || curl -k --fail -s https://127.0.0.1:8443/probe/healthy || exit 1
ENV TRIVY_VERSION=${trivy_version}
USER scanner
ENTRYPOINT ["/home/scanner/bin/scanner-trivy"]
ENTRYPOINT ["/home/scanner/entrypoint.sh"]