Add tls for trivy

Add trivy tls cert files
Add tivey tls env and config
enhance gencert

Signed-off-by: DQ <dengq@vmware.com>

Makefile

@@ -353,12 +353,12 @@ update_prepare_version:
 	@$(SEDCMDI) -e 's/goharbor\/prepare:.*[[:space:]]\+/goharbor\/prepare:$(VERSIONTAG) prepare /' $(MAKEPATH)/prepare ;
 
 gen_tls:
-	@$(DOCKERCMD) run --rm -v /:/hostfs:z goharbor/prepare:$(VERSIONTAG) gencert /etc/harbor/tls/internal
+	@$(DOCKERCMD) run --rm -v /:/hostfs:z goharbor/prepare:$(VERSIONTAG) gencert -p /etc/harbor/tls/internal
 
 prepare: update_prepare_version
 	@echo "preparing..."
 	@if [ -n "$(GEN_TLS)" ] ; then \
-		$(DOCKERCMD) run --rm -v /:/hostfs:z goharbor/prepare:$(VERSIONTAG) gencert /etc/harbor/tls/internal; \
+		$(DOCKERCMD) run --rm -v /:/hostfs:z goharbor/prepare:$(VERSIONTAG) gencert -p /etc/harbor/tls/internal; \
 	fi
 	@$(MAKEPATH)/$(PREPARECMD) $(PREPARECMD_PARA)
 

make/photon/prepare/commands/gencerts.py

@@ -1,4 +1,5 @@
 import os
+import sys
 import click
 import pathlib
 from subprocess import check_call, PIPE, STDOUT
@@ -9,8 +10,9 @@ from utils.misc import get_realpath
 gen_tls_script = pathlib.Path(__file__).parent.parent.joinpath('scripts/gencert.sh').absolute()
 
 @click.command()
-@click.argument('path')
-def gencert(path):
+@click.option('-p', '--path', default='/etc/harbor/tls/internal')
+@click.option('-d', '--days', default='365')
+def gencert(path, days):
     path = get_realpath(path)
     click.echo('Check openssl ...')
     if not openssl_installed():
@@ -21,6 +23,7 @@ def gencert(path):
         click.echo('path {} not exist, create it...'.format(path))
         os.makedirs(path, exist_ok=True)
 
-    shell_stat = check_call([gen_tls_script], stdout=PIPE, stderr=STDOUT, cwd=path)
+    shell_stat = check_call([gen_tls_script, days], stdout=PIPE, stderr=STDOUT, cwd=path)
     if shell_stat != 0:
         click.echo('Can not generate internal tls certs')
+        sys.exit(-1)

make/photon/prepare/models.py

@@ -25,7 +25,6 @@ class InternalTLS:
 
     trivy_certs_filename = {
         'trivy_adapter.crt', 'trivy_adapter.key',
-        'trivy.crt', 'trivy.key'
     }
 
     notary_certs_filename = {
@@ -55,6 +54,8 @@ class InternalTLS:
                 self.required_filenames.update(self.notary_certs_filename)
             if kwargs.get('with_chartmuseum'):
                 self.required_filenames.update(self.chart_museum_filename)
+            if kwargs.get('with_trivy'):
+                self.required_filenames.update(self.trivy_certs_filename)
             if not kwargs.get('external_database'):
                 self.required_filenames.update(self.db_certs_filename)
 

make/photon/prepare/scripts/gencert.sh

@@ -1,7 +1,16 @@
 #! /bin/bash
+set -e
+
+if [ -z "$1" ]; then
+    echo "No argument supplied set days to 365"
+    DAYS=365
+else
+    echo "No argument supplied set days to $1"
+    DAYS=$1
+fi
 
 # CA key and certificate
-openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
+openssl req -x509 -nodes -days $DAYS -newkey rsa:4096 \
         -keyout "harbor_internal_ca.key" \
         -out "harbor_internal_ca.crt" \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware"
@@ -14,7 +23,7 @@ openssl req -new -newkey rsa:4096 -nodes -sha256 \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=proxy"
 
 # Sign proxy
-openssl x509 -req -days 365 -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out proxy.crt
+openssl x509 -req -days $DAYS -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out proxy.crt
 
 
 # generate core key and csr
@@ -24,7 +33,7 @@ openssl req -new \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=core"
 
 # Sign core csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in core.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out core.crt
+openssl x509 -req -days $DAYS -sha256 -in core.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out core.crt
 
 
 # job_service key
@@ -34,7 +43,7 @@ openssl req -new \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=jobservice"
 
 # sign job_service csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in job_service.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out job_service.crt
+openssl x509 -req -days $DAYS -sha256 -in job_service.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out job_service.crt
 
 # generate registry key
 openssl req -new \
@@ -43,7 +52,7 @@ openssl req -new \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registry"
 
 # sign registry csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in registry.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registry.crt
+openssl x509 -req -days $DAYS -sha256 -in registry.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registry.crt
 
 # generate registryctl key
 openssl req -new \
@@ -52,7 +61,7 @@ openssl req -new \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registryctl"
 
 # sign registryctl csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in registryctl.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registryctl.crt
+openssl x509 -req -days $DAYS -sha256 -in registryctl.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registryctl.crt
 
 
 
@@ -63,7 +72,7 @@ openssl req -new \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair_adapter"
 
 # sign clair_adapter csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in clair_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair_adapter.crt
+openssl x509 -req -days $DAYS -sha256 -in clair_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair_adapter.crt
 
 
 # generate clair key
@@ -73,7 +82,17 @@ openssl req -new \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair"
 
 # sign clair csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in clair.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair.crt
+openssl x509 -req -days $DAYS -sha256 -in clair.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair.crt
+
+
+# generate trivy_adapter key
+openssl req -new \
+        -newkey rsa:4096 -nodes -sha256 -keyout trivy_adapter.key \
+        -out trivy_adapter.csr \
+        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=trivy_adapter"
+
+# sign trivy_adapter csr with CA certificate and key
+openssl x509 -req -days $DAYS -sha256 -in trivy_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out trivy_adapter.crt
 
 
 # generate notary_signer key
@@ -83,9 +102,7 @@ openssl req -new \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary_signer"
 
 # sign notary_signer csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in notary_signer.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_signer.crt
-
-
+openssl x509 -req -days $DAYS -sha256 -in notary_signer.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_signer.crt
 
 # generate notary_server key
 openssl req -new \
@@ -94,7 +111,7 @@ openssl req -new \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary_server"
 
 # sign notary_server csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in notary_server.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_server.crt
+openssl x509 -req -days $DAYS -sha256 -in notary_server.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_server.crt
 
 
 # generate chartmuseum key
@@ -104,8 +121,7 @@ openssl req -new \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=chartmuseum"
 
 # sign chartmuseum csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in chartmuseum.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out chartmuseum.crt
-
+openssl x509 -req -days $DAYS -sha256 -in chartmuseum.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out chartmuseum.crt
 
 
 # generate harbor_db key
@@ -115,4 +131,4 @@ openssl req -new \
         -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=harbor_db"
 
 # sign harbor_db csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in harbor_db.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out harbor_db.crt
+openssl x509 -req -days $DAYS -sha256 -in harbor_db.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out harbor_db.crt

make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja

@@ -546,6 +546,18 @@ services:
       - type: bind
         source: {{data_volume}}/trivy-adapter/reports
         target: /home/scanner/.cache/reports
+{%if internal_tls.enabled %}
+    volumes:
+      - type: bind
+        source: {{internal_tls.harbor_internal_ca_crt_path}}
+        target: /harbor_cust_cert/harbor_internal_ca.crt 
+      - type: bind
+        source: {{internal_tls.trivy_adapter_crt_path}}
+        target: /etc/harbor/ssl/trivy_adapter.crt
+      - type: bind
+        source: {{internal_tls.trivy_adapter_key_path}}
+        target: /etc/harbor/ssl/trivy_adapter.key
+{% endif %}
     logging:
       driver: "syslog"
       options:

make/photon/prepare/templates/trivy-adapter/env.jinja

@@ -12,3 +12,8 @@ SCANNER_TRIVY_GITHUB_TOKEN={{trivy_github_token}}
 HTTP_PROXY={{trivy_http_proxy}}
 HTTPS_PROXY={{trivy_https_proxy}}
 NO_PROXY={{trivy_no_proxy}}
+{%if internal_tls.enabled %}
+SCANNER_API_SERVER_ADDR=:8443
+SCANNER_API_SERVER_TLS_KEY=/etc/harbor/ssl/trivy_adapter.key
+SCANNER_API_SERVER_TLS_CERTIFICATE=/etc/harbor/ssl/trivy_adapter.crt
+{% endif %}

make/photon/prepare/utils/configs.py

@@ -345,6 +345,7 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit
             configs['data_volume'],
             with_notary=with_notary,
             with_clair=with_clair,
+            with_trivy=with_trivy,
             with_chartmuseum=with_chartmuseum,
             external_database=config_dict['external_database'])
     else:
@@ -358,7 +359,7 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit
         config_dict['token_service_url'] = 'https://core:8443/service/token'
         config_dict['jobservice_url'] = 'https://jobservice:8443'
         config_dict['clair_adapter_url'] = 'https://clair-adapter:8443'
-        # config_dict['trivy_adapter_url'] = 'http://trivy-adapter:8443'
+        config_dict['trivy_adapter_url'] = 'http://trivy-adapter:8443'
         # config_dict['notary_url'] = 'http://notary-server:4443'
         config_dict['chart_repository_url'] = 'https://chartmuseum:9443'
 

src/common/http/tls.go

@@ -36,8 +36,7 @@ const (
 
 // InternalTLSEnabled returns if internal TLS enabled
 func InternalTLSEnabled() bool {
-	iTLSEnabled := os.Getenv(internalTLSEnable)
-	if strings.ToLower(iTLSEnabled) == "true" {
+	if strings.ToLower(os.Getenv(internalTLSEnable)) == "true" {
 		return true
 	}
 	return false
@@ -45,8 +44,7 @@ func InternalTLSEnabled() bool {
 
 // InternalEnableVerifyClientCert returns if mTLS enabled
 func InternalEnableVerifyClientCert() bool {
-	enabled := os.Getenv(internalVerifyClientCert)
-	if strings.ToLower(enabled) == "true" {
+	if strings.ToLower(os.Getenv(internalVerifyClientCert)) == "true" {
 		return true
 	}
 	return false

src/core/main.go

@@ -168,10 +168,6 @@ func main() {
 		iTLSCertPath := os.Getenv("INTERNAL_TLS_CERT_PATH")
 
 		log.Infof("load client key: %s client cert: %s", iTLSKeyPath, iTLSCertPath)
-		// uncomment following if harbor2 is ready
-		// iTrustCA := os.Getenv("INTERNAL_TLS_TRUST_CA_PATH")
-		// beego.BConfig.Listen.EnableMutualHTTPS = true
-		// beego.BConfig.Listen.TrustCaFile = iTrustCA
 		beego.BConfig.Listen.EnableHTTPS = true
 		beego.BConfig.Listen.HTTPSPort = 8443
 		beego.BConfig.Listen.HTTPSKeyFile = iTLSKeyPath

src/jobservice/hook/hook_client.go

@@ -26,6 +26,7 @@ import (
 	"time"
 
 	commonhttp "github.com/goharbor/harbor/src/common/http"
+	"github.com/goharbor/harbor/src/common/utils/log"
 )
 
 // Client for handling the hook events
@@ -55,10 +56,10 @@ func NewClient(ctx context.Context) Client {
 		ExpectContinueTimeout: 1 * time.Second,
 		Proxy:                 http.ProxyFromEnvironment,
 	}
-	if commonhttp.InternalTLSEnabled() {
+	if commonhttp.InternalEnableVerifyClientCert() {
 		tlsConfig, err := commonhttp.GetInternalTLSConfig()
 		if err != nil {
-			panic(err)
+			log.Errorf("client load cert file with err: %w", err)
 		}
 		transport.TLSClientConfig = tlsConfig
 	}

tests/ci/ut_install.sh

@@ -22,7 +22,7 @@ sudo -E env "PATH=$PATH" make go_check
 sudo ./tests/hostcfg.sh
 sudo ./tests/generateCerts.sh
 sudo make -f make/photon/Makefile _build_db _build_registry _build_prepare -e VERSIONTAG=dev -e REGISTRYVERSION=${REG_VERSION} -e BASEIMAGETAG=dev
-docker run --rm -v /:/hostfs:z goharbor/prepare:dev gencert /etc/harbor/tls/internal
+docker run --rm -v /:/hostfs:z goharbor/prepare:dev gencert -p /etc/harbor/tls/internal
 sudo MAKEPATH=$(pwd)/make ./make/prepare
 sudo mkdir -p "/data/redis"
 sudo mkdir -p /etc/core/ca/ && sudo mv ./tests/ca.crt /etc/core/ca/