Add mTLS configs

mTLS only enabled in jobservice and registryctl Signed-off-by: DQ <dengq@vmware.com>
2024-11-22 10:15:35 +01:00 · 2020-03-17 00:52:54 +08:00 · 2020-03-17 00:52:54 +08:00 · c954969bcd
commit c954969bcd
parent c5d73e6a0c
8 changed files with 48 additions and 20 deletions
--- a/make/harbor.yml.tmpl
+++ b/make/harbor.yml.tmpl
@ -17,9 +17,13 @@ https:
  certificate: /your/certificate/path
  private_key: /your/private/key/path

+# # Uncomment following will enable tls communication between all harbor components
 # internal_tls:
+# # set enabled to true means internal tls is enabled
 #   enabled: true
+# # verify_client_cert used to decide whether verify client certificate
 #   verify_client_cert: false
+# # put your cert and key files on dir
 #   dir: /etc/harbor/tls/internal

 # Uncomment external_url if you want to enable external proxy
--- a/make/photon/prepare/templates/jobservice/env.jinja
+++ b/make/photon/prepare/templates/jobservice/env.jinja
@ -11,6 +11,9 @@ INTERNAL_TLS_TRUST_CA_PATH=/harbor_cust_cert/harbor_internal_ca.crt
 INTERNAL_TLS_KEY_PATH=/etc/harbor/ssl/job_service.key
 INTERNAL_TLS_CERT_PATH=/etc/harbor/ssl/job_service.crt
 {% endif %}
+{% if internal_tls.verify_client_cert %}
+INTERNAL_VERIFY_CLIENT_CERT=true
+{% endif %}

 HTTP_PROXY={{jobservice_http_proxy}}
 HTTPS_PROXY={{jobservice_https_proxy}}
--- a/make/photon/prepare/templates/registryctl/env.jinja
+++ b/make/photon/prepare/templates/registryctl/env.jinja
@ -6,3 +6,6 @@ INTERNAL_TLS_TRUST_CA_PATH=/harbor_cust_cert/harbor_internal_ca.crt
 INTERNAL_TLS_KEY_PATH=/etc/harbor/ssl/registryctl.key
 INTERNAL_TLS_CERT_PATH=/etc/harbor/ssl/registryctl.crt
 {% endif %}
+{% if internal_tls.verify_client_cert %}
+INTERNAL_VERIFY_CLIENT_CERT=true
+{% endif %}
--- a/src/chartserver/client.go
+++ b/src/chartserver/client.go
@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+	"sync"
 	"time"

 	commonhttp "github.com/goharbor/harbor/src/common/http"
@ -19,6 +20,11 @@ const (
 	idleConnectionTimeout = 30 * time.Second
 )

+var (
+	once           sync.Once
+	chartTransport *http.Transport
+)
+
 // ChartClient is a http client to get the content from the external http server
 type ChartClient struct {
 	// HTTP client
@ -31,12 +37,15 @@ type ChartClient struct {
 // NewChartClient is constructor of ChartClient
 // credential can be nil
 func NewChartClient(credential *Credential) *ChartClient { // Create http client with customized timeouts
-	tr := commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
-	tr.MaxIdleConns = maxIdleConnections
-	tr.IdleConnTimeout = idleConnectionTimeout
+	once.Do(func() {
+		chartTransport = commonhttp.GetHTTPTransport(commonhttp.SecureTransport).Clone()
+		chartTransport.MaxIdleConns = maxIdleConnections
+		chartTransport.IdleConnTimeout = idleConnectionTimeout
+	})
+
 	client := &http.Client{
 		Timeout:   clientTimeout,
-		Transport: tr,
+		Transport: chartTransport,
 	}

 	return &ChartClient{
--- a/src/common/http/client.go
+++ b/src/common/http/client.go
@ -79,12 +79,12 @@ type Client struct {
 func GetHTTPTransport(clientType uint) *http.Transport {
 	switch clientType {
 	case SecureTransport:
-		return secureHTTPTransport.Clone()
+		return secureHTTPTransport
 	case InsecureTransport:
-		return insecureHTTPTransport.Clone()
+		return insecureHTTPTransport
 	default:
 		// default Transport is secure one
-		return secureHTTPTransport.Clone()
+		return secureHTTPTransport
 	}
 }

--- a/src/common/http/tls.go
+++ b/src/common/http/tls.go
@ -27,10 +27,11 @@ import (

 const (
 	// Internal TLS ENV
-	internalTLSEnable   = "INTERNAL_TLS_ENABLED"
-	internalTLSKeyPath  = "INTERNAL_TLS_KEY_PATH"
-	internalTLSCertPath = "INTERNAL_TLS_CERT_PATH"
-	internalTrustCAPath = "INTERNAL_TLS_TRUST_CA_PATH"
+	internalTLSEnable        = "INTERNAL_TLS_ENABLED"
+	internalVerifyClientCert = "INTERNAL_VERIFY_CLIENT_CERT"
+	internalTLSKeyPath       = "INTERNAL_TLS_KEY_PATH"
+	internalTLSCertPath      = "INTERNAL_TLS_CERT_PATH"
+	internalTrustCAPath      = "INTERNAL_TLS_TRUST_CA_PATH"
 )

 // InternalTLSEnabled returns if internal TLS enabled
@ -42,6 +43,15 @@ func InternalTLSEnabled() bool {
 	return false
 }

+// InternalEnableVerifyClientCert returns if mTLS enabled
+func InternalEnableVerifyClientCert() bool {
+	enabled := os.Getenv(internalVerifyClientCert)
+	if strings.ToLower(enabled) == "true" {
+		return true
+	}
+	return false
+}
+
 // GetInternalCA used to get internal cert file from Env
 func GetInternalCA(caPool *x509.CertPool) *x509.CertPool {
 	if caPool == nil {
--- a/src/jobservice/api/server.go
+++ b/src/jobservice/api/server.go
@ -73,11 +73,10 @@ func NewServer(ctx context.Context, router Router, cfg ServerConfig) *Server {
 	}

 	// Initialize TLS/SSL config if protocol is https
-	if cfg.Protocol == config.JobServiceProtocolHTTPS {
-		logger.Infof("https enabled, load trustCAs")
+	if cfg.Protocol == config.JobServiceProtocolHTTPS && commonhttp.InternalEnableVerifyClientCert() {
+		logger.Infof("mTLS enabled ...")
 		srv.TLSConfig = &tls.Config{
 			ClientAuth: tls.RequireAndVerifyClientCert,
-			ClientCAs:  commonhttp.GetInternalCA(nil),
 		}
 	}

--- a/src/registryctl/main.go
+++ b/src/registryctl/main.go
@ -19,6 +19,7 @@ import (
 	"flag"
 	"net/http"

+	common_http "github.com/goharbor/harbor/src/common/http"
 	"github.com/goharbor/harbor/src/common/utils/log"
 	"github.com/goharbor/harbor/src/registryctl/config"
 	"github.com/goharbor/harbor/src/registryctl/handlers"
@ -37,14 +38,13 @@ func (s *RegistryCtl) Start() {
 		Handler: s.Handler,
 	}

-	if s.ServerConf.Protocol == "https" {
-		regCtl.TLSConfig = &tls.Config{
-			ClientAuth: tls.RequireAndVerifyClientCert,
-		}
-	}
-
 	var err error
 	if s.ServerConf.Protocol == "https" {
+		if common_http.InternalEnableVerifyClientCert() {
+			regCtl.TLSConfig = &tls.Config{
+				ClientAuth: tls.RequireAndVerifyClientCert,
+			}
+		}
 		err = regCtl.ListenAndServeTLS(s.ServerConf.HTTPSConfig.Cert, s.ServerConf.HTTPSConfig.Key)
 	} else {
 		err = regCtl.ListenAndServe()