From b93092e0126ff204f97fc1c30195b12f3651588f Mon Sep 17 00:00:00 2001 From: DQ Date: Tue, 17 Mar 2020 17:30:25 +0800 Subject: [PATCH] Add tls for trivy Add trivy tls cert files Add tivey tls env and config enhance gencert Signed-off-by: DQ --- Makefile | 4 +- make/photon/prepare/commands/gencerts.py | 9 ++-- make/photon/prepare/models.py | 3 +- make/photon/prepare/scripts/gencert.sh | 46 +++++++++++++------ .../docker_compose/docker-compose.yml.jinja | 12 +++++ .../prepare/templates/trivy-adapter/env.jinja | 5 ++ make/photon/prepare/utils/configs.py | 3 +- src/common/http/tls.go | 6 +-- src/core/main.go | 4 -- src/jobservice/hook/hook_client.go | 5 +- tests/ci/ut_install.sh | 2 +- 11 files changed, 66 insertions(+), 33 deletions(-) diff --git a/Makefile b/Makefile index 1ce395ca9..920cfb7cf 100644 --- a/Makefile +++ b/Makefile @@ -353,12 +353,12 @@ update_prepare_version: @$(SEDCMDI) -e 's/goharbor\/prepare:.*[[:space:]]\+/goharbor\/prepare:$(VERSIONTAG) prepare /' $(MAKEPATH)/prepare ; gen_tls: - @$(DOCKERCMD) run --rm -v /:/hostfs:z goharbor/prepare:$(VERSIONTAG) gencert /etc/harbor/tls/internal + @$(DOCKERCMD) run --rm -v /:/hostfs:z goharbor/prepare:$(VERSIONTAG) gencert -p /etc/harbor/tls/internal prepare: update_prepare_version @echo "preparing..." @if [ -n "$(GEN_TLS)" ] ; then \ - $(DOCKERCMD) run --rm -v /:/hostfs:z goharbor/prepare:$(VERSIONTAG) gencert /etc/harbor/tls/internal; \ + $(DOCKERCMD) run --rm -v /:/hostfs:z goharbor/prepare:$(VERSIONTAG) gencert -p /etc/harbor/tls/internal; \ fi @$(MAKEPATH)/$(PREPARECMD) $(PREPARECMD_PARA) diff --git a/make/photon/prepare/commands/gencerts.py b/make/photon/prepare/commands/gencerts.py index c3afa467e..0d2a58865 100644 --- a/make/photon/prepare/commands/gencerts.py +++ b/make/photon/prepare/commands/gencerts.py @@ -1,4 +1,5 @@ import os +import sys import click import pathlib from subprocess import check_call, PIPE, STDOUT @@ -9,8 +10,9 @@ from utils.misc import get_realpath gen_tls_script = pathlib.Path(__file__).parent.parent.joinpath('scripts/gencert.sh').absolute() @click.command() -@click.argument('path') -def gencert(path): +@click.option('-p', '--path', default='/etc/harbor/tls/internal') +@click.option('-d', '--days', default='365') +def gencert(path, days): path = get_realpath(path) click.echo('Check openssl ...') if not openssl_installed(): @@ -21,6 +23,7 @@ def gencert(path): click.echo('path {} not exist, create it...'.format(path)) os.makedirs(path, exist_ok=True) - shell_stat = check_call([gen_tls_script], stdout=PIPE, stderr=STDOUT, cwd=path) + shell_stat = check_call([gen_tls_script, days], stdout=PIPE, stderr=STDOUT, cwd=path) if shell_stat != 0: click.echo('Can not generate internal tls certs') + sys.exit(-1) diff --git a/make/photon/prepare/models.py b/make/photon/prepare/models.py index f007fef25..0caf4c38c 100644 --- a/make/photon/prepare/models.py +++ b/make/photon/prepare/models.py @@ -25,7 +25,6 @@ class InternalTLS: trivy_certs_filename = { 'trivy_adapter.crt', 'trivy_adapter.key', - 'trivy.crt', 'trivy.key' } notary_certs_filename = { @@ -55,6 +54,8 @@ class InternalTLS: self.required_filenames.update(self.notary_certs_filename) if kwargs.get('with_chartmuseum'): self.required_filenames.update(self.chart_museum_filename) + if kwargs.get('with_trivy'): + self.required_filenames.update(self.trivy_certs_filename) if not kwargs.get('external_database'): self.required_filenames.update(self.db_certs_filename) diff --git a/make/photon/prepare/scripts/gencert.sh b/make/photon/prepare/scripts/gencert.sh index 5c21d1047..c6bde2fe8 100755 --- a/make/photon/prepare/scripts/gencert.sh +++ b/make/photon/prepare/scripts/gencert.sh @@ -1,7 +1,16 @@ #! /bin/bash +set -e + +if [ -z "$1" ]; then + echo "No argument supplied set days to 365" + DAYS=365 +else + echo "No argument supplied set days to $1" + DAYS=$1 +fi # CA key and certificate -openssl req -x509 -nodes -days 365 -newkey rsa:4096 \ +openssl req -x509 -nodes -days $DAYS -newkey rsa:4096 \ -keyout "harbor_internal_ca.key" \ -out "harbor_internal_ca.crt" \ -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware" @@ -14,7 +23,7 @@ openssl req -new -newkey rsa:4096 -nodes -sha256 \ -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=proxy" # Sign proxy -openssl x509 -req -days 365 -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out proxy.crt +openssl x509 -req -days $DAYS -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out proxy.crt # generate core key and csr @@ -24,7 +33,7 @@ openssl req -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=core" # Sign core csr with CA certificate and key -openssl x509 -req -days 365 -sha256 -in core.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out core.crt +openssl x509 -req -days $DAYS -sha256 -in core.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out core.crt # job_service key @@ -34,7 +43,7 @@ openssl req -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=jobservice" # sign job_service csr with CA certificate and key -openssl x509 -req -days 365 -sha256 -in job_service.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out job_service.crt +openssl x509 -req -days $DAYS -sha256 -in job_service.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out job_service.crt # generate registry key openssl req -new \ @@ -43,7 +52,7 @@ openssl req -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registry" # sign registry csr with CA certificate and key -openssl x509 -req -days 365 -sha256 -in registry.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registry.crt +openssl x509 -req -days $DAYS -sha256 -in registry.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registry.crt # generate registryctl key openssl req -new \ @@ -52,7 +61,7 @@ openssl req -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registryctl" # sign registryctl csr with CA certificate and key -openssl x509 -req -days 365 -sha256 -in registryctl.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registryctl.crt +openssl x509 -req -days $DAYS -sha256 -in registryctl.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registryctl.crt @@ -63,7 +72,7 @@ openssl req -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair_adapter" # sign clair_adapter csr with CA certificate and key -openssl x509 -req -days 365 -sha256 -in clair_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair_adapter.crt +openssl x509 -req -days $DAYS -sha256 -in clair_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair_adapter.crt # generate clair key @@ -73,7 +82,17 @@ openssl req -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair" # sign clair csr with CA certificate and key -openssl x509 -req -days 365 -sha256 -in clair.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair.crt +openssl x509 -req -days $DAYS -sha256 -in clair.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair.crt + + +# generate trivy_adapter key +openssl req -new \ + -newkey rsa:4096 -nodes -sha256 -keyout trivy_adapter.key \ + -out trivy_adapter.csr \ + -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=trivy_adapter" + +# sign trivy_adapter csr with CA certificate and key +openssl x509 -req -days $DAYS -sha256 -in trivy_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out trivy_adapter.crt # generate notary_signer key @@ -83,9 +102,7 @@ openssl req -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary_signer" # sign notary_signer csr with CA certificate and key -openssl x509 -req -days 365 -sha256 -in notary_signer.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_signer.crt - - +openssl x509 -req -days $DAYS -sha256 -in notary_signer.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_signer.crt # generate notary_server key openssl req -new \ @@ -94,7 +111,7 @@ openssl req -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary_server" # sign notary_server csr with CA certificate and key -openssl x509 -req -days 365 -sha256 -in notary_server.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_server.crt +openssl x509 -req -days $DAYS -sha256 -in notary_server.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_server.crt # generate chartmuseum key @@ -104,8 +121,7 @@ openssl req -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=chartmuseum" # sign chartmuseum csr with CA certificate and key -openssl x509 -req -days 365 -sha256 -in chartmuseum.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out chartmuseum.crt - +openssl x509 -req -days $DAYS -sha256 -in chartmuseum.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out chartmuseum.crt # generate harbor_db key @@ -115,4 +131,4 @@ openssl req -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=harbor_db" # sign harbor_db csr with CA certificate and key -openssl x509 -req -days 365 -sha256 -in harbor_db.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out harbor_db.crt +openssl x509 -req -days $DAYS -sha256 -in harbor_db.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out harbor_db.crt diff --git a/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja b/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja index 972599422..397f97a29 100644 --- a/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja +++ b/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja @@ -546,6 +546,18 @@ services: - type: bind source: {{data_volume}}/trivy-adapter/reports target: /home/scanner/.cache/reports +{%if internal_tls.enabled %} + volumes: + - type: bind + source: {{internal_tls.harbor_internal_ca_crt_path}} + target: /harbor_cust_cert/harbor_internal_ca.crt + - type: bind + source: {{internal_tls.trivy_adapter_crt_path}} + target: /etc/harbor/ssl/trivy_adapter.crt + - type: bind + source: {{internal_tls.trivy_adapter_key_path}} + target: /etc/harbor/ssl/trivy_adapter.key +{% endif %} logging: driver: "syslog" options: diff --git a/make/photon/prepare/templates/trivy-adapter/env.jinja b/make/photon/prepare/templates/trivy-adapter/env.jinja index b07db6f04..4930d5431 100644 --- a/make/photon/prepare/templates/trivy-adapter/env.jinja +++ b/make/photon/prepare/templates/trivy-adapter/env.jinja @@ -12,3 +12,8 @@ SCANNER_TRIVY_GITHUB_TOKEN={{trivy_github_token}} HTTP_PROXY={{trivy_http_proxy}} HTTPS_PROXY={{trivy_https_proxy}} NO_PROXY={{trivy_no_proxy}} +{%if internal_tls.enabled %} +SCANNER_API_SERVER_ADDR=:8443 +SCANNER_API_SERVER_TLS_KEY=/etc/harbor/ssl/trivy_adapter.key +SCANNER_API_SERVER_TLS_CERTIFICATE=/etc/harbor/ssl/trivy_adapter.crt +{% endif %} diff --git a/make/photon/prepare/utils/configs.py b/make/photon/prepare/utils/configs.py index 1eeacfb9f..e54145e3c 100644 --- a/make/photon/prepare/utils/configs.py +++ b/make/photon/prepare/utils/configs.py @@ -345,6 +345,7 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit configs['data_volume'], with_notary=with_notary, with_clair=with_clair, + with_trivy=with_trivy, with_chartmuseum=with_chartmuseum, external_database=config_dict['external_database']) else: @@ -358,7 +359,7 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit config_dict['token_service_url'] = 'https://core:8443/service/token' config_dict['jobservice_url'] = 'https://jobservice:8443' config_dict['clair_adapter_url'] = 'https://clair-adapter:8443' - # config_dict['trivy_adapter_url'] = 'http://trivy-adapter:8443' + config_dict['trivy_adapter_url'] = 'http://trivy-adapter:8443' # config_dict['notary_url'] = 'http://notary-server:4443' config_dict['chart_repository_url'] = 'https://chartmuseum:9443' diff --git a/src/common/http/tls.go b/src/common/http/tls.go index e2dc578f1..d4768c54f 100644 --- a/src/common/http/tls.go +++ b/src/common/http/tls.go @@ -36,8 +36,7 @@ const ( // InternalTLSEnabled returns if internal TLS enabled func InternalTLSEnabled() bool { - iTLSEnabled := os.Getenv(internalTLSEnable) - if strings.ToLower(iTLSEnabled) == "true" { + if strings.ToLower(os.Getenv(internalTLSEnable)) == "true" { return true } return false @@ -45,8 +44,7 @@ func InternalTLSEnabled() bool { // InternalEnableVerifyClientCert returns if mTLS enabled func InternalEnableVerifyClientCert() bool { - enabled := os.Getenv(internalVerifyClientCert) - if strings.ToLower(enabled) == "true" { + if strings.ToLower(os.Getenv(internalVerifyClientCert)) == "true" { return true } return false diff --git a/src/core/main.go b/src/core/main.go index 24bdca7ef..bee68f79c 100755 --- a/src/core/main.go +++ b/src/core/main.go @@ -168,10 +168,6 @@ func main() { iTLSCertPath := os.Getenv("INTERNAL_TLS_CERT_PATH") log.Infof("load client key: %s client cert: %s", iTLSKeyPath, iTLSCertPath) - // uncomment following if harbor2 is ready - // iTrustCA := os.Getenv("INTERNAL_TLS_TRUST_CA_PATH") - // beego.BConfig.Listen.EnableMutualHTTPS = true - // beego.BConfig.Listen.TrustCaFile = iTrustCA beego.BConfig.Listen.EnableHTTPS = true beego.BConfig.Listen.HTTPSPort = 8443 beego.BConfig.Listen.HTTPSKeyFile = iTLSKeyPath diff --git a/src/jobservice/hook/hook_client.go b/src/jobservice/hook/hook_client.go index f0a9d5e73..e7f0a54bf 100644 --- a/src/jobservice/hook/hook_client.go +++ b/src/jobservice/hook/hook_client.go @@ -26,6 +26,7 @@ import ( "time" commonhttp "github.com/goharbor/harbor/src/common/http" + "github.com/goharbor/harbor/src/common/utils/log" ) // Client for handling the hook events @@ -55,10 +56,10 @@ func NewClient(ctx context.Context) Client { ExpectContinueTimeout: 1 * time.Second, Proxy: http.ProxyFromEnvironment, } - if commonhttp.InternalTLSEnabled() { + if commonhttp.InternalEnableVerifyClientCert() { tlsConfig, err := commonhttp.GetInternalTLSConfig() if err != nil { - panic(err) + log.Errorf("client load cert file with err: %w", err) } transport.TLSClientConfig = tlsConfig } diff --git a/tests/ci/ut_install.sh b/tests/ci/ut_install.sh index 749972a18..149536d1e 100755 --- a/tests/ci/ut_install.sh +++ b/tests/ci/ut_install.sh @@ -22,7 +22,7 @@ sudo -E env "PATH=$PATH" make go_check sudo ./tests/hostcfg.sh sudo ./tests/generateCerts.sh sudo make -f make/photon/Makefile _build_db _build_registry _build_prepare -e VERSIONTAG=dev -e REGISTRYVERSION=${REG_VERSION} -e BASEIMAGETAG=dev -docker run --rm -v /:/hostfs:z goharbor/prepare:dev gencert /etc/harbor/tls/internal +docker run --rm -v /:/hostfs:z goharbor/prepare:dev gencert -p /etc/harbor/tls/internal sudo MAKEPATH=$(pwd)/make ./make/prepare sudo mkdir -p "/data/redis" sudo mkdir -p /etc/core/ca/ && sudo mv ./tests/ca.crt /etc/core/ca/