Move strong_ssl_ciphers to top level in harbor.yml (#20021)

Move strong_ssl_ciphers to top level in harbor.yaml fixes #19912 Signed-off-by: stonezdj <stonezdj@gmail.com> Signed-off-by: stonezdj <daojunz@vmware.com> Co-authored-by: stonezdj <daojunz@vmware.com>
2025-02-17 04:11:24 +01:00 · 2024-02-26 17:47:03 +08:00 · 2024-02-26 17:47:03 +08:00 · 5b78c3f7e4
commit 5b78c3f7e4
parent 9115b9f34f
5 changed files with 17 additions and 4 deletions
--- a/make/photon/prepare/templates/nginx/nginx.https.conf.jinja
+++ b/make/photon/prepare/templates/nginx/nginx.https.conf.jinja
@ -59,7 +59,7 @@ http {

    # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_protocols TLSv1.2 TLSv1.3;
-{% if internal_tls.strong_ssl_ciphers %}
+{% if strong_ssl_ciphers %}
    ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
 {% else %}
    ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
--- a/make/photon/prepare/templates/portal/nginx.conf.jinja
+++ b/make/photon/prepare/templates/portal/nginx.conf.jinja
@ -22,7 +22,7 @@ http {
        ssl_certificate_key /etc/harbor/tls/portal.key;

        ssl_protocols TLSv1.2 TLSv1.3;
-    {% if internal_tls.strong_ssl_ciphers %}
+    {% if strong_ssl_ciphers %}
        ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
    {% else %}
        ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
--- a/make/photon/prepare/utils/configs.py
+++ b/make/photon/prepare/utils/configs.py
@ -299,6 +299,16 @@ def parse_yaml_config(config_file_path, with_trivy):
            external_database=config_dict['external_database'])
    else:
        config_dict['internal_tls'] = InternalTLS()
+    # the configure item apply to internal and external tls communication
+    # for compatibility, user could configure the strong_ssl_ciphers either in https section or under internal_tls section,
+    # but it is more reasonable to configure it in https_config
+    if https_config:
+        config_dict['strong_ssl_ciphers'] = https_config.get('strong_ssl_ciphers') 
+    else:
+        config_dict['strong_ssl_ciphers'] = False
+
+    if internal_tls_config:
+        config_dict['strong_ssl_ciphers'] = config_dict['strong_ssl_ciphers'] or internal_tls_config.get('strong_ssl_ciphers')

    # metric configs
    metric_config = configs.get('metric')
--- a/make/photon/prepare/utils/nginx.py
+++ b/make/photon/prepare/utils/nginx.py
@ -63,7 +63,8 @@ def render_nginx_template(config_dict):
            ssl_cert=SSL_CERT_PATH,
            ssl_cert_key=SSL_CERT_KEY_PATH,
            internal_tls=config_dict['internal_tls'],
-            metric=config_dict['metric'])
+            metric=config_dict['metric'],
+            strong_ssl_ciphers=config_dict['strong_ssl_ciphers'])
        location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS

    else:
--- a/make/photon/prepare/utils/portal.py
+++ b/make/photon/prepare/utils/portal.py
@ -15,4 +15,6 @@ def prepare_portal(config_dict):
        portal_conf,
        internal_tls=config_dict['internal_tls'],
        uid=DEFAULT_UID,
-        gid=DEFAULT_GID)
+        gid=DEFAULT_GID,
+        strong_ssl_ciphers=config_dict['strong_ssl_ciphers']
+        )