mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-25 11:46:43 +01:00
Add tls for trivy
Add trivy tls cert files Add tivey tls env and config enhance gencert Signed-off-by: DQ <dengq@vmware.com>
This commit is contained in:
parent
c954969bcd
commit
b93092e012
4
Makefile
4
Makefile
@ -353,12 +353,12 @@ update_prepare_version:
|
||||
@$(SEDCMDI) -e 's/goharbor\/prepare:.*[[:space:]]\+/goharbor\/prepare:$(VERSIONTAG) prepare /' $(MAKEPATH)/prepare ;
|
||||
|
||||
gen_tls:
|
||||
@$(DOCKERCMD) run --rm -v /:/hostfs:z goharbor/prepare:$(VERSIONTAG) gencert /etc/harbor/tls/internal
|
||||
@$(DOCKERCMD) run --rm -v /:/hostfs:z goharbor/prepare:$(VERSIONTAG) gencert -p /etc/harbor/tls/internal
|
||||
|
||||
prepare: update_prepare_version
|
||||
@echo "preparing..."
|
||||
@if [ -n "$(GEN_TLS)" ] ; then \
|
||||
$(DOCKERCMD) run --rm -v /:/hostfs:z goharbor/prepare:$(VERSIONTAG) gencert /etc/harbor/tls/internal; \
|
||||
$(DOCKERCMD) run --rm -v /:/hostfs:z goharbor/prepare:$(VERSIONTAG) gencert -p /etc/harbor/tls/internal; \
|
||||
fi
|
||||
@$(MAKEPATH)/$(PREPARECMD) $(PREPARECMD_PARA)
|
||||
|
||||
|
@ -1,4 +1,5 @@
|
||||
import os
|
||||
import sys
|
||||
import click
|
||||
import pathlib
|
||||
from subprocess import check_call, PIPE, STDOUT
|
||||
@ -9,8 +10,9 @@ from utils.misc import get_realpath
|
||||
gen_tls_script = pathlib.Path(__file__).parent.parent.joinpath('scripts/gencert.sh').absolute()
|
||||
|
||||
@click.command()
|
||||
@click.argument('path')
|
||||
def gencert(path):
|
||||
@click.option('-p', '--path', default='/etc/harbor/tls/internal')
|
||||
@click.option('-d', '--days', default='365')
|
||||
def gencert(path, days):
|
||||
path = get_realpath(path)
|
||||
click.echo('Check openssl ...')
|
||||
if not openssl_installed():
|
||||
@ -21,6 +23,7 @@ def gencert(path):
|
||||
click.echo('path {} not exist, create it...'.format(path))
|
||||
os.makedirs(path, exist_ok=True)
|
||||
|
||||
shell_stat = check_call([gen_tls_script], stdout=PIPE, stderr=STDOUT, cwd=path)
|
||||
shell_stat = check_call([gen_tls_script, days], stdout=PIPE, stderr=STDOUT, cwd=path)
|
||||
if shell_stat != 0:
|
||||
click.echo('Can not generate internal tls certs')
|
||||
sys.exit(-1)
|
||||
|
@ -25,7 +25,6 @@ class InternalTLS:
|
||||
|
||||
trivy_certs_filename = {
|
||||
'trivy_adapter.crt', 'trivy_adapter.key',
|
||||
'trivy.crt', 'trivy.key'
|
||||
}
|
||||
|
||||
notary_certs_filename = {
|
||||
@ -55,6 +54,8 @@ class InternalTLS:
|
||||
self.required_filenames.update(self.notary_certs_filename)
|
||||
if kwargs.get('with_chartmuseum'):
|
||||
self.required_filenames.update(self.chart_museum_filename)
|
||||
if kwargs.get('with_trivy'):
|
||||
self.required_filenames.update(self.trivy_certs_filename)
|
||||
if not kwargs.get('external_database'):
|
||||
self.required_filenames.update(self.db_certs_filename)
|
||||
|
||||
|
@ -1,7 +1,16 @@
|
||||
#! /bin/bash
|
||||
set -e
|
||||
|
||||
if [ -z "$1" ]; then
|
||||
echo "No argument supplied set days to 365"
|
||||
DAYS=365
|
||||
else
|
||||
echo "No argument supplied set days to $1"
|
||||
DAYS=$1
|
||||
fi
|
||||
|
||||
# CA key and certificate
|
||||
openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
|
||||
openssl req -x509 -nodes -days $DAYS -newkey rsa:4096 \
|
||||
-keyout "harbor_internal_ca.key" \
|
||||
-out "harbor_internal_ca.crt" \
|
||||
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware"
|
||||
@ -14,7 +23,7 @@ openssl req -new -newkey rsa:4096 -nodes -sha256 \
|
||||
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=proxy"
|
||||
|
||||
# Sign proxy
|
||||
openssl x509 -req -days 365 -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out proxy.crt
|
||||
openssl x509 -req -days $DAYS -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out proxy.crt
|
||||
|
||||
|
||||
# generate core key and csr
|
||||
@ -24,7 +33,7 @@ openssl req -new \
|
||||
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=core"
|
||||
|
||||
# Sign core csr with CA certificate and key
|
||||
openssl x509 -req -days 365 -sha256 -in core.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out core.crt
|
||||
openssl x509 -req -days $DAYS -sha256 -in core.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out core.crt
|
||||
|
||||
|
||||
# job_service key
|
||||
@ -34,7 +43,7 @@ openssl req -new \
|
||||
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=jobservice"
|
||||
|
||||
# sign job_service csr with CA certificate and key
|
||||
openssl x509 -req -days 365 -sha256 -in job_service.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out job_service.crt
|
||||
openssl x509 -req -days $DAYS -sha256 -in job_service.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out job_service.crt
|
||||
|
||||
# generate registry key
|
||||
openssl req -new \
|
||||
@ -43,7 +52,7 @@ openssl req -new \
|
||||
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registry"
|
||||
|
||||
# sign registry csr with CA certificate and key
|
||||
openssl x509 -req -days 365 -sha256 -in registry.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registry.crt
|
||||
openssl x509 -req -days $DAYS -sha256 -in registry.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registry.crt
|
||||
|
||||
# generate registryctl key
|
||||
openssl req -new \
|
||||
@ -52,7 +61,7 @@ openssl req -new \
|
||||
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registryctl"
|
||||
|
||||
# sign registryctl csr with CA certificate and key
|
||||
openssl x509 -req -days 365 -sha256 -in registryctl.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registryctl.crt
|
||||
openssl x509 -req -days $DAYS -sha256 -in registryctl.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registryctl.crt
|
||||
|
||||
|
||||
|
||||
@ -63,7 +72,7 @@ openssl req -new \
|
||||
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair_adapter"
|
||||
|
||||
# sign clair_adapter csr with CA certificate and key
|
||||
openssl x509 -req -days 365 -sha256 -in clair_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair_adapter.crt
|
||||
openssl x509 -req -days $DAYS -sha256 -in clair_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair_adapter.crt
|
||||
|
||||
|
||||
# generate clair key
|
||||
@ -73,7 +82,17 @@ openssl req -new \
|
||||
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair"
|
||||
|
||||
# sign clair csr with CA certificate and key
|
||||
openssl x509 -req -days 365 -sha256 -in clair.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair.crt
|
||||
openssl x509 -req -days $DAYS -sha256 -in clair.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair.crt
|
||||
|
||||
|
||||
# generate trivy_adapter key
|
||||
openssl req -new \
|
||||
-newkey rsa:4096 -nodes -sha256 -keyout trivy_adapter.key \
|
||||
-out trivy_adapter.csr \
|
||||
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=trivy_adapter"
|
||||
|
||||
# sign trivy_adapter csr with CA certificate and key
|
||||
openssl x509 -req -days $DAYS -sha256 -in trivy_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out trivy_adapter.crt
|
||||
|
||||
|
||||
# generate notary_signer key
|
||||
@ -83,9 +102,7 @@ openssl req -new \
|
||||
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary_signer"
|
||||
|
||||
# sign notary_signer csr with CA certificate and key
|
||||
openssl x509 -req -days 365 -sha256 -in notary_signer.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_signer.crt
|
||||
|
||||
|
||||
openssl x509 -req -days $DAYS -sha256 -in notary_signer.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_signer.crt
|
||||
|
||||
# generate notary_server key
|
||||
openssl req -new \
|
||||
@ -94,7 +111,7 @@ openssl req -new \
|
||||
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary_server"
|
||||
|
||||
# sign notary_server csr with CA certificate and key
|
||||
openssl x509 -req -days 365 -sha256 -in notary_server.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_server.crt
|
||||
openssl x509 -req -days $DAYS -sha256 -in notary_server.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_server.crt
|
||||
|
||||
|
||||
# generate chartmuseum key
|
||||
@ -104,8 +121,7 @@ openssl req -new \
|
||||
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=chartmuseum"
|
||||
|
||||
# sign chartmuseum csr with CA certificate and key
|
||||
openssl x509 -req -days 365 -sha256 -in chartmuseum.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out chartmuseum.crt
|
||||
|
||||
openssl x509 -req -days $DAYS -sha256 -in chartmuseum.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out chartmuseum.crt
|
||||
|
||||
|
||||
# generate harbor_db key
|
||||
@ -115,4 +131,4 @@ openssl req -new \
|
||||
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=harbor_db"
|
||||
|
||||
# sign harbor_db csr with CA certificate and key
|
||||
openssl x509 -req -days 365 -sha256 -in harbor_db.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out harbor_db.crt
|
||||
openssl x509 -req -days $DAYS -sha256 -in harbor_db.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out harbor_db.crt
|
||||
|
@ -546,6 +546,18 @@ services:
|
||||
- type: bind
|
||||
source: {{data_volume}}/trivy-adapter/reports
|
||||
target: /home/scanner/.cache/reports
|
||||
{%if internal_tls.enabled %}
|
||||
volumes:
|
||||
- type: bind
|
||||
source: {{internal_tls.harbor_internal_ca_crt_path}}
|
||||
target: /harbor_cust_cert/harbor_internal_ca.crt
|
||||
- type: bind
|
||||
source: {{internal_tls.trivy_adapter_crt_path}}
|
||||
target: /etc/harbor/ssl/trivy_adapter.crt
|
||||
- type: bind
|
||||
source: {{internal_tls.trivy_adapter_key_path}}
|
||||
target: /etc/harbor/ssl/trivy_adapter.key
|
||||
{% endif %}
|
||||
logging:
|
||||
driver: "syslog"
|
||||
options:
|
||||
|
@ -12,3 +12,8 @@ SCANNER_TRIVY_GITHUB_TOKEN={{trivy_github_token}}
|
||||
HTTP_PROXY={{trivy_http_proxy}}
|
||||
HTTPS_PROXY={{trivy_https_proxy}}
|
||||
NO_PROXY={{trivy_no_proxy}}
|
||||
{%if internal_tls.enabled %}
|
||||
SCANNER_API_SERVER_ADDR=:8443
|
||||
SCANNER_API_SERVER_TLS_KEY=/etc/harbor/ssl/trivy_adapter.key
|
||||
SCANNER_API_SERVER_TLS_CERTIFICATE=/etc/harbor/ssl/trivy_adapter.crt
|
||||
{% endif %}
|
||||
|
@ -345,6 +345,7 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit
|
||||
configs['data_volume'],
|
||||
with_notary=with_notary,
|
||||
with_clair=with_clair,
|
||||
with_trivy=with_trivy,
|
||||
with_chartmuseum=with_chartmuseum,
|
||||
external_database=config_dict['external_database'])
|
||||
else:
|
||||
@ -358,7 +359,7 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit
|
||||
config_dict['token_service_url'] = 'https://core:8443/service/token'
|
||||
config_dict['jobservice_url'] = 'https://jobservice:8443'
|
||||
config_dict['clair_adapter_url'] = 'https://clair-adapter:8443'
|
||||
# config_dict['trivy_adapter_url'] = 'http://trivy-adapter:8443'
|
||||
config_dict['trivy_adapter_url'] = 'http://trivy-adapter:8443'
|
||||
# config_dict['notary_url'] = 'http://notary-server:4443'
|
||||
config_dict['chart_repository_url'] = 'https://chartmuseum:9443'
|
||||
|
||||
|
@ -36,8 +36,7 @@ const (
|
||||
|
||||
// InternalTLSEnabled returns if internal TLS enabled
|
||||
func InternalTLSEnabled() bool {
|
||||
iTLSEnabled := os.Getenv(internalTLSEnable)
|
||||
if strings.ToLower(iTLSEnabled) == "true" {
|
||||
if strings.ToLower(os.Getenv(internalTLSEnable)) == "true" {
|
||||
return true
|
||||
}
|
||||
return false
|
||||
@ -45,8 +44,7 @@ func InternalTLSEnabled() bool {
|
||||
|
||||
// InternalEnableVerifyClientCert returns if mTLS enabled
|
||||
func InternalEnableVerifyClientCert() bool {
|
||||
enabled := os.Getenv(internalVerifyClientCert)
|
||||
if strings.ToLower(enabled) == "true" {
|
||||
if strings.ToLower(os.Getenv(internalVerifyClientCert)) == "true" {
|
||||
return true
|
||||
}
|
||||
return false
|
||||
|
@ -168,10 +168,6 @@ func main() {
|
||||
iTLSCertPath := os.Getenv("INTERNAL_TLS_CERT_PATH")
|
||||
|
||||
log.Infof("load client key: %s client cert: %s", iTLSKeyPath, iTLSCertPath)
|
||||
// uncomment following if harbor2 is ready
|
||||
// iTrustCA := os.Getenv("INTERNAL_TLS_TRUST_CA_PATH")
|
||||
// beego.BConfig.Listen.EnableMutualHTTPS = true
|
||||
// beego.BConfig.Listen.TrustCaFile = iTrustCA
|
||||
beego.BConfig.Listen.EnableHTTPS = true
|
||||
beego.BConfig.Listen.HTTPSPort = 8443
|
||||
beego.BConfig.Listen.HTTPSKeyFile = iTLSKeyPath
|
||||
|
@ -26,6 +26,7 @@ import (
|
||||
"time"
|
||||
|
||||
commonhttp "github.com/goharbor/harbor/src/common/http"
|
||||
"github.com/goharbor/harbor/src/common/utils/log"
|
||||
)
|
||||
|
||||
// Client for handling the hook events
|
||||
@ -55,10 +56,10 @@ func NewClient(ctx context.Context) Client {
|
||||
ExpectContinueTimeout: 1 * time.Second,
|
||||
Proxy: http.ProxyFromEnvironment,
|
||||
}
|
||||
if commonhttp.InternalTLSEnabled() {
|
||||
if commonhttp.InternalEnableVerifyClientCert() {
|
||||
tlsConfig, err := commonhttp.GetInternalTLSConfig()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
log.Errorf("client load cert file with err: %w", err)
|
||||
}
|
||||
transport.TLSClientConfig = tlsConfig
|
||||
}
|
||||
|
@ -22,7 +22,7 @@ sudo -E env "PATH=$PATH" make go_check
|
||||
sudo ./tests/hostcfg.sh
|
||||
sudo ./tests/generateCerts.sh
|
||||
sudo make -f make/photon/Makefile _build_db _build_registry _build_prepare -e VERSIONTAG=dev -e REGISTRYVERSION=${REG_VERSION} -e BASEIMAGETAG=dev
|
||||
docker run --rm -v /:/hostfs:z goharbor/prepare:dev gencert /etc/harbor/tls/internal
|
||||
docker run --rm -v /:/hostfs:z goharbor/prepare:dev gencert -p /etc/harbor/tls/internal
|
||||
sudo MAKEPATH=$(pwd)/make ./make/prepare
|
||||
sudo mkdir -p "/data/redis"
|
||||
sudo mkdir -p /etc/core/ca/ && sudo mv ./tests/ca.crt /etc/core/ca/
|
||||
|
Loading…
Reference in New Issue
Block a user