[cherry-pick] Move strong_ssl_ciphers to top level in harbor.yaml (#20022)

Move strong_ssl_ciphers to top level in harbor.yaml

  fixes #19912

Signed-off-by: stonezdj <stonezdj@gmail.com>
Co-authored-by: stonezdj <daojunz@vmware.com>

make/harbor.yml.tmpl

@@ -16,6 +16,8 @@ https:
   # The path of cert and key files for nginx
   certificate: /your/certificate/path
   private_key: /your/private/key/path
+  # enable strong ssl ciphers (default: false)
+  # strong_ssl_ciphers: false
 
 # # Uncomment following will enable tls communication between all harbor components
 # internal_tls:
@@ -23,8 +25,7 @@ https:
 #   enabled: true
 #   # put your cert and key files on dir
 #   dir: /etc/harbor/tls/internal
-#   # enable strong ssl ciphers (default: false)
-#   strong_ssl_ciphers: false
+
 
 # Uncomment external_url if you want to enable external proxy
 # And when it enabled the hostname will no longer used

make/photon/prepare/migrations/version_2_10_0/harbor.yml.jinja

@@ -23,6 +23,12 @@ https:
   # The path of cert and key files for nginx
   certificate: {{ https.certificate }}
   private_key: {{ https.private_key }}
+  # enable strong ssl ciphers (default: false)
+  {% if strong_ssl_ciphers is defined %}
+  strong_ssl_ciphers: {{ strong_ssl_ciphers | lower }}
+  {% else %}
+  strong_ssl_ciphers: false
+  {% endif %}
 {% else %}
 # https related config
 # https:
@@ -31,6 +37,8 @@ https:
 #   # The path of cert and key files for nginx
 #   certificate: /your/certificate/path
 #   private_key: /your/private/key/path
+#   enable strong ssl ciphers (default: false)
+#   strong_ssl_ciphers: false
 {% endif %}
 
 {% if internal_tls is defined %}
@@ -38,13 +46,9 @@ https:
 internal_tls:
   # set enabled to true means internal tls is enabled
   enabled: {{ internal_tls.enabled | lower }}
+  {% if internal_tls.dir is defined %}
   # put your cert and key files on dir
   dir: {{ internal_tls.dir }}
-  # enable strong ssl ciphers (default: false)
-  {% if internal_tls.strong_ssl_ciphers is defined %}
-  strong_ssl_ciphers: {{ internal_tls.strong_ssl_ciphers | lower }}
-  {% else %}
-  strong_ssl_ciphers: false
   {% endif %}
 {% else %}
 # internal_tls:
@@ -52,8 +56,6 @@ internal_tls:
 #   enabled: true
 #   # put your cert and key files on dir
 #   dir: /etc/harbor/tls/internal
-#   # enable strong ssl ciphers (default: false)
-#   strong_ssl_ciphers: false
 {% endif %}
 
 # Uncomment external_url if you want to enable external proxy

make/photon/prepare/templates/nginx/nginx.https.conf.jinja

@@ -59,7 +59,7 @@ http {
 
     # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
     ssl_protocols TLSv1.2 TLSv1.3;
-{% if internal_tls.strong_ssl_ciphers %}
+{% if strong_ssl_ciphers %}
     ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
 {% else %}
     ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';

make/photon/prepare/templates/portal/nginx.conf.jinja

@@ -22,7 +22,7 @@ http {
         ssl_certificate_key /etc/harbor/tls/portal.key;
 
         ssl_protocols TLSv1.2 TLSv1.3;
-    {% if internal_tls.strong_ssl_ciphers %}
+    {% if strong_ssl_ciphers %}
         ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
     {% else %}
         ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';

make/photon/prepare/utils/configs.py

@@ -299,6 +299,16 @@ def parse_yaml_config(config_file_path, with_trivy):
             external_database=config_dict['external_database'])
     else:
         config_dict['internal_tls'] = InternalTLS()
+    # the configure item apply to internal and external tls communication
+    # for compatibility, user could configure the strong_ssl_ciphers either in https section or under internal_tls section,
+    # but it is more reasonable to configure it in https_config
+    if https_config:
+        config_dict['strong_ssl_ciphers'] = https_config.get('strong_ssl_ciphers') 
+    else:
+        config_dict['strong_ssl_ciphers'] = False
+
+    if internal_tls_config:
+        config_dict['strong_ssl_ciphers'] = config_dict['strong_ssl_ciphers'] or internal_tls_config.get('strong_ssl_ciphers')
 
     # metric configs
     metric_config = configs.get('metric')

make/photon/prepare/utils/migration.py

@@ -27,6 +27,12 @@ def read_conf(path):
     with open(path) as f:
         try:
             d = yaml.safe_load(f)
+            # the strong_ssl_ciphers configure item apply to internal and external tls communication
+            # for compatibility, user could configure the strong_ssl_ciphers either in https section or under internal_tls section,
+            # but it will move to https section after migration
+            https_config = d.get("https") or {}
+            internal_tls = d.get('internal_tls') or {}
+            d['strong_ssl_ciphers'] = https_config.get('strong_ssl_ciphers') or internal_tls.get('strong_ssl_ciphers')
         except Exception as e:
             click.echo("parse config file err, make sure your harbor config version is above 1.8.0", e)
             exit(-1)

make/photon/prepare/utils/nginx.py

@@ -63,7 +63,8 @@ def render_nginx_template(config_dict):
             ssl_cert=SSL_CERT_PATH,
             ssl_cert_key=SSL_CERT_KEY_PATH,
             internal_tls=config_dict['internal_tls'],
-            metric=config_dict['metric'])
+            metric=config_dict['metric'],
+            strong_ssl_ciphers=config_dict['strong_ssl_ciphers'])
         location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS
 
     else:

make/photon/prepare/utils/portal.py

@@ -15,4 +15,6 @@ def prepare_portal(config_dict):
         portal_conf,
         internal_tls=config_dict['internal_tls'],
         uid=DEFAULT_UID,
-        gid=DEFAULT_GID)
+        gid=DEFAULT_GID,
+        strong_ssl_ciphers=config_dict['strong_ssl_ciphers']
+        )