Add tls for trivy

Add trivy tls cert files Add tivey tls env and config enhance gencert Signed-off-by: DQ <dengq@vmware.com>
2024-11-22 10:15:35 +01:00 · 2020-03-17 17:30:25 +08:00 · 2020-03-17 17:30:25 +08:00 · b93092e012
commit b93092e012
parent c954969bcd
11 changed files with 66 additions and 33 deletions
--- a/4
+++ b/4
@ -353,12 +353,12 @@ update_prepare_version:
 	@$(SEDCMDI) -e 's/goharbor\/prepare:.*[[:space:]]\+/goharbor\/prepare:$(VERSIONTAG) prepare /' $(MAKEPATH)/prepare ;

 gen_tls:
-	@$(DOCKERCMD) run --rm -v /:/hostfs:z goharbor/prepare:$(VERSIONTAG) gencert /etc/harbor/tls/internal
+	@$(DOCKERCMD) run --rm -v /:/hostfs:z goharbor/prepare:$(VERSIONTAG) gencert -p /etc/harbor/tls/internal

 prepare: update_prepare_version
 	@echo "preparing..."
 	@if [ -n "$(GEN_TLS)" ] ; then \
-		$(DOCKERCMD) run --rm -v /:/hostfs:z goharbor/prepare:$(VERSIONTAG) gencert /etc/harbor/tls/internal; \
+		$(DOCKERCMD) run --rm -v /:/hostfs:z goharbor/prepare:$(VERSIONTAG) gencert -p /etc/harbor/tls/internal; \
 	fi
 	@$(MAKEPATH)/$(PREPARECMD) $(PREPARECMD_PARA)

--- a/make/photon/prepare/commands/gencerts.py
+++ b/make/photon/prepare/commands/gencerts.py
@ -1,4 +1,5 @@
 import os
+import sys
 import click
 import pathlib
 from subprocess import check_call, PIPE, STDOUT
@ -9,8 +10,9 @@ from utils.misc import get_realpath
 gen_tls_script = pathlib.Path(__file__).parent.parent.joinpath('scripts/gencert.sh').absolute()

@click.command()
-@click.argument('path')
-def gencert(path):
+@click.option('-p', '--path', default='/etc/harbor/tls/internal')
+@click.option('-d', '--days', default='365')
+def gencert(path, days):
    path = get_realpath(path)
    click.echo('Check openssl ...')
    if not openssl_installed():
@ -21,6 +23,7 @@ def gencert(path):
        click.echo('path {} not exist, create it...'.format(path))
        os.makedirs(path, exist_ok=True)

-    shell_stat = check_call([gen_tls_script], stdout=PIPE, stderr=STDOUT, cwd=path)
+    shell_stat = check_call([gen_tls_script, days], stdout=PIPE, stderr=STDOUT, cwd=path)
    if shell_stat != 0:
        click.echo('Can not generate internal tls certs')
+        sys.exit(-1)
--- a/make/photon/prepare/models.py
+++ b/make/photon/prepare/models.py
@ -25,7 +25,6 @@ class InternalTLS:

    trivy_certs_filename = {
        'trivy_adapter.crt', 'trivy_adapter.key',
-        'trivy.crt', 'trivy.key'
    }

    notary_certs_filename = {
@ -55,6 +54,8 @@ class InternalTLS:
                self.required_filenames.update(self.notary_certs_filename)
            if kwargs.get('with_chartmuseum'):
                self.required_filenames.update(self.chart_museum_filename)
+            if kwargs.get('with_trivy'):
+                self.required_filenames.update(self.trivy_certs_filename)
            if not kwargs.get('external_database'):
                self.required_filenames.update(self.db_certs_filename)

--- a/make/photon/prepare/scripts/gencert.sh
+++ b/make/photon/prepare/scripts/gencert.sh
@ -1,7 +1,16 @@
 #! /bin/bash
+set -e
+
+if [ -z "$1" ]; then
+    echo "No argument supplied set days to 365"
+    DAYS=365
+else
+    echo "No argument supplied set days to $1"
+    DAYS=$1
+fi

 # CA key and certificate
-openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
+openssl req -x509 -nodes -days $DAYS -newkey rsa:4096 \
        -keyout "harbor_internal_ca.key" \
        -out "harbor_internal_ca.crt" \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware"
@ -14,7 +23,7 @@ openssl req -new -newkey rsa:4096 -nodes -sha256 \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=proxy"

 # Sign proxy
-openssl x509 -req -days 365 -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out proxy.crt
+openssl x509 -req -days $DAYS -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out proxy.crt


 # generate core key and csr
@ -24,7 +33,7 @@ openssl req -new \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=core"

 # Sign core csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in core.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out core.crt
+openssl x509 -req -days $DAYS -sha256 -in core.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out core.crt


 # job_service key
@ -34,7 +43,7 @@ openssl req -new \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=jobservice"

 # sign job_service csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in job_service.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out job_service.crt
+openssl x509 -req -days $DAYS -sha256 -in job_service.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out job_service.crt

 # generate registry key
 openssl req -new \
@ -43,7 +52,7 @@ openssl req -new \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registry"

 # sign registry csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in registry.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registry.crt
+openssl x509 -req -days $DAYS -sha256 -in registry.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registry.crt

 # generate registryctl key
 openssl req -new \
@ -52,7 +61,7 @@ openssl req -new \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=registryctl"

 # sign registryctl csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in registryctl.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registryctl.crt
+openssl x509 -req -days $DAYS -sha256 -in registryctl.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out registryctl.crt



@ -63,7 +72,7 @@ openssl req -new \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair_adapter"

 # sign clair_adapter csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in clair_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair_adapter.crt
+openssl x509 -req -days $DAYS -sha256 -in clair_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair_adapter.crt


 # generate clair key
@ -73,7 +82,17 @@ openssl req -new \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=clair"

 # sign clair csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in clair.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair.crt
+openssl x509 -req -days $DAYS -sha256 -in clair.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out clair.crt
+
+
+# generate trivy_adapter key
+openssl req -new \
+        -newkey rsa:4096 -nodes -sha256 -keyout trivy_adapter.key \
+        -out trivy_adapter.csr \
+        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=trivy_adapter"
+
+# sign trivy_adapter csr with CA certificate and key
+openssl x509 -req -days $DAYS -sha256 -in trivy_adapter.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out trivy_adapter.crt


 # generate notary_signer key
@ -83,9 +102,7 @@ openssl req -new \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary_signer"

 # sign notary_signer csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in notary_signer.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_signer.crt
-
-
+openssl x509 -req -days $DAYS -sha256 -in notary_signer.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_signer.crt

 # generate notary_server key
 openssl req -new \
@ -94,7 +111,7 @@ openssl req -new \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary_server"

 # sign notary_server csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in notary_server.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_server.crt
+openssl x509 -req -days $DAYS -sha256 -in notary_server.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_server.crt


 # generate chartmuseum key
@ -104,8 +121,7 @@ openssl req -new \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=chartmuseum"

 # sign chartmuseum csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in chartmuseum.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out chartmuseum.crt
-
+openssl x509 -req -days $DAYS -sha256 -in chartmuseum.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out chartmuseum.crt


 # generate harbor_db key
@ -115,4 +131,4 @@ openssl req -new \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=harbor_db"

 # sign harbor_db csr with CA certificate and key
-openssl x509 -req -days 365 -sha256 -in harbor_db.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out harbor_db.crt
+openssl x509 -req -days $DAYS -sha256 -in harbor_db.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out harbor_db.crt
--- a/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja
+++ b/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja
@ -546,6 +546,18 @@ services:
      - type: bind
        source: {{data_volume}}/trivy-adapter/reports
        target: /home/scanner/.cache/reports
+{%if internal_tls.enabled %}
+    volumes:
+      - type: bind
+        source: {{internal_tls.harbor_internal_ca_crt_path}}
+        target: /harbor_cust_cert/harbor_internal_ca.crt 
+      - type: bind
+        source: {{internal_tls.trivy_adapter_crt_path}}
+        target: /etc/harbor/ssl/trivy_adapter.crt
+      - type: bind
+        source: {{internal_tls.trivy_adapter_key_path}}
+        target: /etc/harbor/ssl/trivy_adapter.key
+{% endif %}
    logging:
      driver: "syslog"
      options:
--- a/make/photon/prepare/templates/trivy-adapter/env.jinja
+++ b/make/photon/prepare/templates/trivy-adapter/env.jinja
@ -12,3 +12,8 @@ SCANNER_TRIVY_GITHUB_TOKEN={{trivy_github_token}}
 HTTP_PROXY={{trivy_http_proxy}}
 HTTPS_PROXY={{trivy_https_proxy}}
 NO_PROXY={{trivy_no_proxy}}
+{%if internal_tls.enabled %}
+SCANNER_API_SERVER_ADDR=:8443
+SCANNER_API_SERVER_TLS_KEY=/etc/harbor/ssl/trivy_adapter.key
+SCANNER_API_SERVER_TLS_CERTIFICATE=/etc/harbor/ssl/trivy_adapter.crt
+{% endif %}
--- a/make/photon/prepare/utils/configs.py
+++ b/make/photon/prepare/utils/configs.py
@ -345,6 +345,7 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit
            configs['data_volume'],
            with_notary=with_notary,
            with_clair=with_clair,
+            with_trivy=with_trivy,
            with_chartmuseum=with_chartmuseum,
            external_database=config_dict['external_database'])
    else:
@ -358,7 +359,7 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit
        config_dict['token_service_url'] = 'https://core:8443/service/token'
        config_dict['jobservice_url'] = 'https://jobservice:8443'
        config_dict['clair_adapter_url'] = 'https://clair-adapter:8443'
-        # config_dict['trivy_adapter_url'] = 'http://trivy-adapter:8443'
+        config_dict['trivy_adapter_url'] = 'http://trivy-adapter:8443'
        # config_dict['notary_url'] = 'http://notary-server:4443'
        config_dict['chart_repository_url'] = 'https://chartmuseum:9443'

--- a/src/common/http/tls.go
+++ b/src/common/http/tls.go
@ -36,8 +36,7 @@ const (

 // InternalTLSEnabled returns if internal TLS enabled
 func InternalTLSEnabled() bool {
-	iTLSEnabled := os.Getenv(internalTLSEnable)
-	if strings.ToLower(iTLSEnabled) == "true" {
+	if strings.ToLower(os.Getenv(internalTLSEnable)) == "true" {
 		return true
 	}
 	return false
@ -45,8 +44,7 @@ func InternalTLSEnabled() bool {

 // InternalEnableVerifyClientCert returns if mTLS enabled
 func InternalEnableVerifyClientCert() bool {
-	enabled := os.Getenv(internalVerifyClientCert)
-	if strings.ToLower(enabled) == "true" {
+	if strings.ToLower(os.Getenv(internalVerifyClientCert)) == "true" {
 		return true
 	}
 	return false
--- a/src/core/main.go
+++ b/src/core/main.go
@ -168,10 +168,6 @@ func main() {
 		iTLSCertPath := os.Getenv("INTERNAL_TLS_CERT_PATH")

 		log.Infof("load client key: %s client cert: %s", iTLSKeyPath, iTLSCertPath)
-		// uncomment following if harbor2 is ready
-		// iTrustCA := os.Getenv("INTERNAL_TLS_TRUST_CA_PATH")
-		// beego.BConfig.Listen.EnableMutualHTTPS = true
-		// beego.BConfig.Listen.TrustCaFile = iTrustCA
 		beego.BConfig.Listen.EnableHTTPS = true
 		beego.BConfig.Listen.HTTPSPort = 8443
 		beego.BConfig.Listen.HTTPSKeyFile = iTLSKeyPath
--- a/src/jobservice/hook/hook_client.go
+++ b/src/jobservice/hook/hook_client.go
@ -26,6 +26,7 @@ import (
 	"time"

 	commonhttp "github.com/goharbor/harbor/src/common/http"
+	"github.com/goharbor/harbor/src/common/utils/log"
 )

 // Client for handling the hook events
@ -55,10 +56,10 @@ func NewClient(ctx context.Context) Client {
 		ExpectContinueTimeout: 1 * time.Second,
 		Proxy:                 http.ProxyFromEnvironment,
 	}
-	if commonhttp.InternalTLSEnabled() {
+	if commonhttp.InternalEnableVerifyClientCert() {
 		tlsConfig, err := commonhttp.GetInternalTLSConfig()
 		if err != nil {
-			panic(err)
+			log.Errorf("client load cert file with err: %w", err)
 		}
 		transport.TLSClientConfig = tlsConfig
 	}
--- a/tests/ci/ut_install.sh
+++ b/tests/ci/ut_install.sh
@ -22,7 +22,7 @@ sudo -E env "PATH=$PATH" make go_check
 sudo ./tests/hostcfg.sh
 sudo ./tests/generateCerts.sh
 sudo make -f make/photon/Makefile _build_db _build_registry _build_prepare -e VERSIONTAG=dev -e REGISTRYVERSION=${REG_VERSION} -e BASEIMAGETAG=dev
-docker run --rm -v /:/hostfs:z goharbor/prepare:dev gencert /etc/harbor/tls/internal
+docker run --rm -v /:/hostfs:z goharbor/prepare:dev gencert -p /etc/harbor/tls/internal
 sudo MAKEPATH=$(pwd)/make ./make/prepare
 sudo mkdir -p "/data/redis"
 sudo mkdir -p /etc/core/ca/ && sudo mv ./tests/ca.crt /etc/core/ca/