mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-22 02:05:41 +01:00
Add internal tls configs for portal
add related file, config, command to enabled https for portal Signed-off-by: DQ <dengq@vmware.com>
This commit is contained in:
parent
9ce29c9dc8
commit
d3ab9d7c6b
@ -37,14 +37,11 @@ COPY --from=nodeportal /build_dir/swagger2.json /usr/share/nginx/html
|
||||
COPY --from=nodeportal /build_dir/swagger3.json /usr/share/nginx/html
|
||||
COPY --from=nodeportal /build_dir/LICENSE /usr/share/nginx/html
|
||||
|
||||
COPY make/photon/portal/nginx.conf /etc/nginx/nginx.conf
|
||||
|
||||
EXPOSE 8080
|
||||
VOLUME /var/cache/nginx /var/log/nginx /run
|
||||
|
||||
STOPSIGNAL SIGQUIT
|
||||
|
||||
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080 || exit 1
|
||||
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080 || curl --fail -s http://127.0.0.1:8443 || exit 1
|
||||
USER nginx
|
||||
CMD ["nginx", "-g", "daemon off;"]
|
||||
|
||||
|
@ -23,6 +23,7 @@ from utils.nginx import prepare_nginx, nginx_confd_dir
|
||||
from utils.redis import prepare_redis
|
||||
from utils.internal_tls import prepare_tls
|
||||
from utils.trivy_adapter import prepare_trivy_adapter
|
||||
from utils.portal import prepare_portal
|
||||
from g import (config_dir, input_config_path, private_key_pem_path, root_crt_path, secret_key_dir,
|
||||
old_private_key_pem_path, old_crt_path)
|
||||
|
||||
@ -43,6 +44,7 @@ def prepare(conf, with_notary, with_clair, with_trivy, with_chartmuseum):
|
||||
logging.error(e)
|
||||
sys.exit(-1)
|
||||
|
||||
prepare_portal(config_dict)
|
||||
prepare_log_configs(config_dict)
|
||||
prepare_nginx(config_dict)
|
||||
prepare_core(config_dict, with_notary=with_notary, with_clair=with_clair, with_trivy=with_trivy, with_chartmuseum=with_chartmuseum)
|
||||
|
@ -12,7 +12,7 @@ REDIS_UID = 999
|
||||
REDIS_GID = 999
|
||||
|
||||
## Global variable
|
||||
templates_dir = "/usr/src/app/templates"
|
||||
templates_dir = Path("/usr/src/app/templates")
|
||||
|
||||
host_root_dir = Path('/hostfs')
|
||||
|
||||
|
@ -15,7 +15,8 @@ class InternalTLS:
|
||||
'core.crt', 'core.key',
|
||||
'job_service.crt', 'job_service.key',
|
||||
'registryctl.crt', 'registryctl.key',
|
||||
'registry.crt', 'registry.key'
|
||||
'registry.crt', 'registry.key',
|
||||
'portal.crt', 'portal.key'
|
||||
}
|
||||
|
||||
clair_certs_filename = {
|
||||
|
@ -30,6 +30,14 @@ openssl req -new -newkey rsa:4096 -nodes -sha256 \
|
||||
# Sign proxy
|
||||
openssl x509 -req -days $DAYS -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out proxy.crt
|
||||
|
||||
# generate portal key and csr
|
||||
openssl req -new -newkey rsa:4096 -nodes -sha256 \
|
||||
-keyout portal.key \
|
||||
-out portal.csr \
|
||||
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=portal"
|
||||
|
||||
# Sign portal
|
||||
openssl x509 -req -days $DAYS -sha256 -in portal.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out portal.crt
|
||||
|
||||
# generate core key and csr
|
||||
openssl req -new \
|
||||
|
@ -17,6 +17,7 @@ POSTGRESQL_SSLMODE={{harbor_db_sslmode}}
|
||||
POSTGRESQL_MAX_IDLE_CONNS={{harbor_db_max_idle_conns}}
|
||||
POSTGRESQL_MAX_OPEN_CONNS={{harbor_db_max_open_conns}}
|
||||
REGISTRY_URL={{registry_url}}
|
||||
PORTAL_URL={{portal_url}}
|
||||
TOKEN_SERVICE_URL={{token_service_url}}
|
||||
HARBOR_ADMIN_PASSWORD={{harbor_admin_password}}
|
||||
MAX_JOB_WORKERS={{max_job_workers}}
|
||||
|
@ -234,6 +234,18 @@ services:
|
||||
- SETGID
|
||||
- SETUID
|
||||
- NET_BIND_SERVICE
|
||||
volumes:
|
||||
- type: bind
|
||||
source: ./common/config/portal/nginx.conf
|
||||
target: /etc/nginx/nginx.conf
|
||||
{%if internal_tls.enabled %}
|
||||
- type: bind
|
||||
source: {{internal_tls.portal_crt_path}}
|
||||
target: /etc/harbor/tls/portal.crt
|
||||
- type: bind
|
||||
source: {{internal_tls.portal_key_path}}
|
||||
target: /etc/harbor/tls/portal.key
|
||||
{% endif %}
|
||||
networks:
|
||||
- harbor
|
||||
dns_search: .
|
||||
|
@ -19,11 +19,19 @@ http {
|
||||
proxy_http_version 1.1;
|
||||
|
||||
upstream core {
|
||||
{% if internal_tls.enabled %}
|
||||
server core:8443;
|
||||
{% else %}
|
||||
server core:8080;
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
upstream portal {
|
||||
{% if internal_tls.enabled %}
|
||||
server portal:8443;
|
||||
{% else %}
|
||||
server portal:8080;
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
log_format timed_combined '$remote_addr - '
|
||||
@ -47,7 +55,18 @@ http {
|
||||
include /etc/nginx/conf.d/harbor.http.*.conf;
|
||||
|
||||
location / {
|
||||
{% if internal_tls.enabled %}
|
||||
proxy_pass https://portal/;
|
||||
|
||||
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
||||
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
||||
proxy_ssl_trusted_certificate /harbor_cust_cert/harbor_internal_ca.crt;
|
||||
proxy_ssl_verify_depth 2;
|
||||
proxy_ssl_verify on;
|
||||
proxy_ssl_session_reuse on;
|
||||
{% else %}
|
||||
proxy_pass http://portal/;
|
||||
{% endif %}
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
@ -60,7 +79,18 @@ http {
|
||||
}
|
||||
|
||||
location /c/ {
|
||||
{% if internal_tls.enabled %}
|
||||
proxy_pass https://core/c/;
|
||||
|
||||
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
||||
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
||||
proxy_ssl_trusted_certificate /harbor_cust_cert/harbor_internal_ca.crt;
|
||||
proxy_ssl_verify_depth 2;
|
||||
proxy_ssl_verify on;
|
||||
proxy_ssl_session_reuse on;
|
||||
{% else %}
|
||||
proxy_pass http://core/c/;
|
||||
{% endif %}
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
@ -73,7 +103,18 @@ http {
|
||||
}
|
||||
|
||||
location /api/ {
|
||||
{% if internal_tls.enabled %}
|
||||
proxy_pass https://core/api/;
|
||||
|
||||
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
||||
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
||||
proxy_ssl_trusted_certificate /harbor_cust_cert/harbor_internal_ca.crt;
|
||||
proxy_ssl_verify_depth 2;
|
||||
proxy_ssl_verify on;
|
||||
proxy_ssl_session_reuse on;
|
||||
{% else %}
|
||||
proxy_pass http://core/api/;
|
||||
{% endif %}
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
@ -86,7 +127,18 @@ http {
|
||||
}
|
||||
|
||||
location /chartrepo/ {
|
||||
{% if internal_tls.enabled %}
|
||||
proxy_pass https://core/chartrepo/;
|
||||
|
||||
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
||||
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
||||
proxy_ssl_trusted_certificate /harbor_cust_cert/harbor_internal_ca.crt;
|
||||
proxy_ssl_verify_depth 2;
|
||||
proxy_ssl_verify on;
|
||||
proxy_ssl_session_reuse on;
|
||||
{% else %}
|
||||
proxy_pass http://core/chartrepo/;
|
||||
{% endif %}
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
@ -103,7 +155,18 @@ http {
|
||||
}
|
||||
|
||||
location /v2/ {
|
||||
{% if internal_tls.enabled %}
|
||||
proxy_pass https://core/v2/;
|
||||
|
||||
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
||||
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
||||
proxy_ssl_trusted_certificate /harbor_cust_cert/harbor_internal_ca.crt;
|
||||
proxy_ssl_verify_depth 2;
|
||||
proxy_ssl_verify on;
|
||||
proxy_ssl_session_reuse on;
|
||||
{% else %}
|
||||
proxy_pass http://core/v2/;
|
||||
{% endif %}
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
@ -118,7 +181,18 @@ http {
|
||||
}
|
||||
|
||||
location /service/ {
|
||||
{% if internal_tls.enabled %}
|
||||
proxy_pass https://core/service/;
|
||||
|
||||
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
||||
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
||||
proxy_ssl_trusted_certificate /harbor_cust_cert/harbor_internal_ca.crt;
|
||||
proxy_ssl_verify_depth 2;
|
||||
proxy_ssl_verify on;
|
||||
proxy_ssl_session_reuse on;
|
||||
{% else %}
|
||||
proxy_pass http://core/service/;
|
||||
{% endif %}
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
@ -28,9 +28,13 @@ http {
|
||||
}
|
||||
|
||||
upstream portal {
|
||||
{% if internal_tls.enabled %}
|
||||
server portal:8443;
|
||||
{% else %}
|
||||
server portal:8080;
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
|
||||
log_format timed_combined '$remote_addr - '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" '
|
||||
@ -69,7 +73,18 @@ http {
|
||||
include /etc/nginx/conf.d/harbor.https.*.conf;
|
||||
|
||||
location / {
|
||||
{% if internal_tls.enabled %}
|
||||
proxy_pass https://portal/;
|
||||
|
||||
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
||||
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
||||
proxy_ssl_trusted_certificate /harbor_cust_cert/harbor_internal_ca.crt;
|
||||
proxy_ssl_verify_depth 2;
|
||||
proxy_ssl_verify on;
|
||||
proxy_ssl_session_reuse on;
|
||||
{% else %}
|
||||
proxy_pass http://portal/;
|
||||
{% endif %}
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
@ -15,7 +15,20 @@ http {
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
|
||||
server {
|
||||
{% if internal_tls.enabled %}
|
||||
listen 8443 ssl;
|
||||
# SSL
|
||||
ssl_certificate /etc/harbor/tls/portal.crt;
|
||||
ssl_certificate_key /etc/harbor/tls/portal.key;
|
||||
|
||||
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
{% else %}
|
||||
listen 8080;
|
||||
{% endif %}
|
||||
server_name localhost;
|
||||
|
||||
root /usr/share/nginx/html;
|
@ -95,6 +95,7 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit
|
||||
configs = yaml.load(f)
|
||||
|
||||
config_dict = {
|
||||
'portal_url': 'http://portal:8080',
|
||||
'registry_url': 'http://registry:5000',
|
||||
'registry_controller_url': 'http://registryctl:8080',
|
||||
'core_url': 'http://core:8080',
|
||||
@ -346,6 +347,7 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit
|
||||
config_dict['internal_tls'] = InternalTLS()
|
||||
|
||||
if config_dict['internal_tls'].enabled:
|
||||
config_dict['portal_url'] = 'https://portal:8443'
|
||||
config_dict['registry_url'] = 'https://registry:5443'
|
||||
config_dict['registry_controller_url'] = 'https://registryctl:8443'
|
||||
config_dict['core_url'] = 'https://core:8443'
|
||||
|
18
make/photon/prepare/utils/portal.py
Normal file
18
make/photon/prepare/utils/portal.py
Normal file
@ -0,0 +1,18 @@
|
||||
from g import config_dir, DEFAULT_GID, DEFAULT_UID, templates_dir
|
||||
from utils.misc import prepare_dir
|
||||
from utils.jinja import render_jinja
|
||||
|
||||
portal_config_dir = config_dir.joinpath("portal")
|
||||
portal_conf_template_path = templates_dir.joinpath("portal", "nginx.conf.jinja")
|
||||
portal_conf = config_dir.joinpath("portal", "nginx.conf")
|
||||
|
||||
def prepare_portal(config_dict):
|
||||
prepare_dir(portal_config_dir, uid=DEFAULT_UID, gid=DEFAULT_GID)
|
||||
|
||||
# Render Jobservice config
|
||||
render_jinja(
|
||||
str(portal_conf_template_path),
|
||||
portal_conf,
|
||||
internal_tls=config_dict['internal_tls'],
|
||||
uid=DEFAULT_UID,
|
||||
gid=DEFAULT_GID)
|
Loading…
Reference in New Issue
Block a user