mirror of
https://github.com/goharbor/harbor.git
synced 2024-09-27 13:02:59 +02:00
Add internal tls configs for portal
add related file, config, command to enabled https for portal Signed-off-by: DQ <dengq@vmware.com>
This commit is contained in:
parent
9ce29c9dc8
commit
d3ab9d7c6b
@ -37,14 +37,11 @@ COPY --from=nodeportal /build_dir/swagger2.json /usr/share/nginx/html
|
|||||||
COPY --from=nodeportal /build_dir/swagger3.json /usr/share/nginx/html
|
COPY --from=nodeportal /build_dir/swagger3.json /usr/share/nginx/html
|
||||||
COPY --from=nodeportal /build_dir/LICENSE /usr/share/nginx/html
|
COPY --from=nodeportal /build_dir/LICENSE /usr/share/nginx/html
|
||||||
|
|
||||||
COPY make/photon/portal/nginx.conf /etc/nginx/nginx.conf
|
|
||||||
|
|
||||||
EXPOSE 8080
|
|
||||||
VOLUME /var/cache/nginx /var/log/nginx /run
|
VOLUME /var/cache/nginx /var/log/nginx /run
|
||||||
|
|
||||||
STOPSIGNAL SIGQUIT
|
STOPSIGNAL SIGQUIT
|
||||||
|
|
||||||
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080 || exit 1
|
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080 || curl --fail -s http://127.0.0.1:8443 || exit 1
|
||||||
USER nginx
|
USER nginx
|
||||||
CMD ["nginx", "-g", "daemon off;"]
|
CMD ["nginx", "-g", "daemon off;"]
|
||||||
|
|
||||||
|
@ -23,6 +23,7 @@ from utils.nginx import prepare_nginx, nginx_confd_dir
|
|||||||
from utils.redis import prepare_redis
|
from utils.redis import prepare_redis
|
||||||
from utils.internal_tls import prepare_tls
|
from utils.internal_tls import prepare_tls
|
||||||
from utils.trivy_adapter import prepare_trivy_adapter
|
from utils.trivy_adapter import prepare_trivy_adapter
|
||||||
|
from utils.portal import prepare_portal
|
||||||
from g import (config_dir, input_config_path, private_key_pem_path, root_crt_path, secret_key_dir,
|
from g import (config_dir, input_config_path, private_key_pem_path, root_crt_path, secret_key_dir,
|
||||||
old_private_key_pem_path, old_crt_path)
|
old_private_key_pem_path, old_crt_path)
|
||||||
|
|
||||||
@ -43,6 +44,7 @@ def prepare(conf, with_notary, with_clair, with_trivy, with_chartmuseum):
|
|||||||
logging.error(e)
|
logging.error(e)
|
||||||
sys.exit(-1)
|
sys.exit(-1)
|
||||||
|
|
||||||
|
prepare_portal(config_dict)
|
||||||
prepare_log_configs(config_dict)
|
prepare_log_configs(config_dict)
|
||||||
prepare_nginx(config_dict)
|
prepare_nginx(config_dict)
|
||||||
prepare_core(config_dict, with_notary=with_notary, with_clair=with_clair, with_trivy=with_trivy, with_chartmuseum=with_chartmuseum)
|
prepare_core(config_dict, with_notary=with_notary, with_clair=with_clair, with_trivy=with_trivy, with_chartmuseum=with_chartmuseum)
|
||||||
|
@ -12,7 +12,7 @@ REDIS_UID = 999
|
|||||||
REDIS_GID = 999
|
REDIS_GID = 999
|
||||||
|
|
||||||
## Global variable
|
## Global variable
|
||||||
templates_dir = "/usr/src/app/templates"
|
templates_dir = Path("/usr/src/app/templates")
|
||||||
|
|
||||||
host_root_dir = Path('/hostfs')
|
host_root_dir = Path('/hostfs')
|
||||||
|
|
||||||
|
@ -15,7 +15,8 @@ class InternalTLS:
|
|||||||
'core.crt', 'core.key',
|
'core.crt', 'core.key',
|
||||||
'job_service.crt', 'job_service.key',
|
'job_service.crt', 'job_service.key',
|
||||||
'registryctl.crt', 'registryctl.key',
|
'registryctl.crt', 'registryctl.key',
|
||||||
'registry.crt', 'registry.key'
|
'registry.crt', 'registry.key',
|
||||||
|
'portal.crt', 'portal.key'
|
||||||
}
|
}
|
||||||
|
|
||||||
clair_certs_filename = {
|
clair_certs_filename = {
|
||||||
|
@ -30,6 +30,14 @@ openssl req -new -newkey rsa:4096 -nodes -sha256 \
|
|||||||
# Sign proxy
|
# Sign proxy
|
||||||
openssl x509 -req -days $DAYS -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out proxy.crt
|
openssl x509 -req -days $DAYS -sha256 -in proxy.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out proxy.crt
|
||||||
|
|
||||||
|
# generate portal key and csr
|
||||||
|
openssl req -new -newkey rsa:4096 -nodes -sha256 \
|
||||||
|
-keyout portal.key \
|
||||||
|
-out portal.csr \
|
||||||
|
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=portal"
|
||||||
|
|
||||||
|
# Sign portal
|
||||||
|
openssl x509 -req -days $DAYS -sha256 -in portal.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out portal.crt
|
||||||
|
|
||||||
# generate core key and csr
|
# generate core key and csr
|
||||||
openssl req -new \
|
openssl req -new \
|
||||||
|
@ -17,6 +17,7 @@ POSTGRESQL_SSLMODE={{harbor_db_sslmode}}
|
|||||||
POSTGRESQL_MAX_IDLE_CONNS={{harbor_db_max_idle_conns}}
|
POSTGRESQL_MAX_IDLE_CONNS={{harbor_db_max_idle_conns}}
|
||||||
POSTGRESQL_MAX_OPEN_CONNS={{harbor_db_max_open_conns}}
|
POSTGRESQL_MAX_OPEN_CONNS={{harbor_db_max_open_conns}}
|
||||||
REGISTRY_URL={{registry_url}}
|
REGISTRY_URL={{registry_url}}
|
||||||
|
PORTAL_URL={{portal_url}}
|
||||||
TOKEN_SERVICE_URL={{token_service_url}}
|
TOKEN_SERVICE_URL={{token_service_url}}
|
||||||
HARBOR_ADMIN_PASSWORD={{harbor_admin_password}}
|
HARBOR_ADMIN_PASSWORD={{harbor_admin_password}}
|
||||||
MAX_JOB_WORKERS={{max_job_workers}}
|
MAX_JOB_WORKERS={{max_job_workers}}
|
||||||
|
@ -234,6 +234,18 @@ services:
|
|||||||
- SETGID
|
- SETGID
|
||||||
- SETUID
|
- SETUID
|
||||||
- NET_BIND_SERVICE
|
- NET_BIND_SERVICE
|
||||||
|
volumes:
|
||||||
|
- type: bind
|
||||||
|
source: ./common/config/portal/nginx.conf
|
||||||
|
target: /etc/nginx/nginx.conf
|
||||||
|
{%if internal_tls.enabled %}
|
||||||
|
- type: bind
|
||||||
|
source: {{internal_tls.portal_crt_path}}
|
||||||
|
target: /etc/harbor/tls/portal.crt
|
||||||
|
- type: bind
|
||||||
|
source: {{internal_tls.portal_key_path}}
|
||||||
|
target: /etc/harbor/tls/portal.key
|
||||||
|
{% endif %}
|
||||||
networks:
|
networks:
|
||||||
- harbor
|
- harbor
|
||||||
dns_search: .
|
dns_search: .
|
||||||
|
@ -19,11 +19,19 @@ http {
|
|||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
|
|
||||||
upstream core {
|
upstream core {
|
||||||
|
{% if internal_tls.enabled %}
|
||||||
|
server core:8443;
|
||||||
|
{% else %}
|
||||||
server core:8080;
|
server core:8080;
|
||||||
|
{% endif %}
|
||||||
}
|
}
|
||||||
|
|
||||||
upstream portal {
|
upstream portal {
|
||||||
|
{% if internal_tls.enabled %}
|
||||||
|
server portal:8443;
|
||||||
|
{% else %}
|
||||||
server portal:8080;
|
server portal:8080;
|
||||||
|
{% endif %}
|
||||||
}
|
}
|
||||||
|
|
||||||
log_format timed_combined '$remote_addr - '
|
log_format timed_combined '$remote_addr - '
|
||||||
@ -47,7 +55,18 @@ http {
|
|||||||
include /etc/nginx/conf.d/harbor.http.*.conf;
|
include /etc/nginx/conf.d/harbor.http.*.conf;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
{% if internal_tls.enabled %}
|
||||||
|
proxy_pass https://portal/;
|
||||||
|
|
||||||
|
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
||||||
|
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
||||||
|
proxy_ssl_trusted_certificate /harbor_cust_cert/harbor_internal_ca.crt;
|
||||||
|
proxy_ssl_verify_depth 2;
|
||||||
|
proxy_ssl_verify on;
|
||||||
|
proxy_ssl_session_reuse on;
|
||||||
|
{% else %}
|
||||||
proxy_pass http://portal/;
|
proxy_pass http://portal/;
|
||||||
|
{% endif %}
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
@ -60,7 +79,18 @@ http {
|
|||||||
}
|
}
|
||||||
|
|
||||||
location /c/ {
|
location /c/ {
|
||||||
|
{% if internal_tls.enabled %}
|
||||||
|
proxy_pass https://core/c/;
|
||||||
|
|
||||||
|
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
||||||
|
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
||||||
|
proxy_ssl_trusted_certificate /harbor_cust_cert/harbor_internal_ca.crt;
|
||||||
|
proxy_ssl_verify_depth 2;
|
||||||
|
proxy_ssl_verify on;
|
||||||
|
proxy_ssl_session_reuse on;
|
||||||
|
{% else %}
|
||||||
proxy_pass http://core/c/;
|
proxy_pass http://core/c/;
|
||||||
|
{% endif %}
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
@ -73,7 +103,18 @@ http {
|
|||||||
}
|
}
|
||||||
|
|
||||||
location /api/ {
|
location /api/ {
|
||||||
|
{% if internal_tls.enabled %}
|
||||||
|
proxy_pass https://core/api/;
|
||||||
|
|
||||||
|
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
||||||
|
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
||||||
|
proxy_ssl_trusted_certificate /harbor_cust_cert/harbor_internal_ca.crt;
|
||||||
|
proxy_ssl_verify_depth 2;
|
||||||
|
proxy_ssl_verify on;
|
||||||
|
proxy_ssl_session_reuse on;
|
||||||
|
{% else %}
|
||||||
proxy_pass http://core/api/;
|
proxy_pass http://core/api/;
|
||||||
|
{% endif %}
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
@ -86,7 +127,18 @@ http {
|
|||||||
}
|
}
|
||||||
|
|
||||||
location /chartrepo/ {
|
location /chartrepo/ {
|
||||||
|
{% if internal_tls.enabled %}
|
||||||
|
proxy_pass https://core/chartrepo/;
|
||||||
|
|
||||||
|
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
||||||
|
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
||||||
|
proxy_ssl_trusted_certificate /harbor_cust_cert/harbor_internal_ca.crt;
|
||||||
|
proxy_ssl_verify_depth 2;
|
||||||
|
proxy_ssl_verify on;
|
||||||
|
proxy_ssl_session_reuse on;
|
||||||
|
{% else %}
|
||||||
proxy_pass http://core/chartrepo/;
|
proxy_pass http://core/chartrepo/;
|
||||||
|
{% endif %}
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
@ -103,7 +155,18 @@ http {
|
|||||||
}
|
}
|
||||||
|
|
||||||
location /v2/ {
|
location /v2/ {
|
||||||
|
{% if internal_tls.enabled %}
|
||||||
|
proxy_pass https://core/v2/;
|
||||||
|
|
||||||
|
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
||||||
|
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
||||||
|
proxy_ssl_trusted_certificate /harbor_cust_cert/harbor_internal_ca.crt;
|
||||||
|
proxy_ssl_verify_depth 2;
|
||||||
|
proxy_ssl_verify on;
|
||||||
|
proxy_ssl_session_reuse on;
|
||||||
|
{% else %}
|
||||||
proxy_pass http://core/v2/;
|
proxy_pass http://core/v2/;
|
||||||
|
{% endif %}
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
@ -118,7 +181,18 @@ http {
|
|||||||
}
|
}
|
||||||
|
|
||||||
location /service/ {
|
location /service/ {
|
||||||
|
{% if internal_tls.enabled %}
|
||||||
|
proxy_pass https://core/service/;
|
||||||
|
|
||||||
|
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
||||||
|
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
||||||
|
proxy_ssl_trusted_certificate /harbor_cust_cert/harbor_internal_ca.crt;
|
||||||
|
proxy_ssl_verify_depth 2;
|
||||||
|
proxy_ssl_verify on;
|
||||||
|
proxy_ssl_session_reuse on;
|
||||||
|
{% else %}
|
||||||
proxy_pass http://core/service/;
|
proxy_pass http://core/service/;
|
||||||
|
{% endif %}
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
@ -28,9 +28,13 @@ http {
|
|||||||
}
|
}
|
||||||
|
|
||||||
upstream portal {
|
upstream portal {
|
||||||
|
{% if internal_tls.enabled %}
|
||||||
|
server portal:8443;
|
||||||
|
{% else %}
|
||||||
server portal:8080;
|
server portal:8080;
|
||||||
|
{% endif %}
|
||||||
}
|
}
|
||||||
|
|
||||||
log_format timed_combined '$remote_addr - '
|
log_format timed_combined '$remote_addr - '
|
||||||
'"$request" $status $body_bytes_sent '
|
'"$request" $status $body_bytes_sent '
|
||||||
'"$http_referer" "$http_user_agent" '
|
'"$http_referer" "$http_user_agent" '
|
||||||
@ -69,7 +73,18 @@ http {
|
|||||||
include /etc/nginx/conf.d/harbor.https.*.conf;
|
include /etc/nginx/conf.d/harbor.https.*.conf;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
{% if internal_tls.enabled %}
|
||||||
|
proxy_pass https://portal/;
|
||||||
|
|
||||||
|
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
||||||
|
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
||||||
|
proxy_ssl_trusted_certificate /harbor_cust_cert/harbor_internal_ca.crt;
|
||||||
|
proxy_ssl_verify_depth 2;
|
||||||
|
proxy_ssl_verify on;
|
||||||
|
proxy_ssl_session_reuse on;
|
||||||
|
{% else %}
|
||||||
proxy_pass http://portal/;
|
proxy_pass http://portal/;
|
||||||
|
{% endif %}
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
@ -15,7 +15,20 @@ http {
|
|||||||
scgi_temp_path /tmp/scgi_temp;
|
scgi_temp_path /tmp/scgi_temp;
|
||||||
|
|
||||||
server {
|
server {
|
||||||
|
{% if internal_tls.enabled %}
|
||||||
|
listen 8443 ssl;
|
||||||
|
# SSL
|
||||||
|
ssl_certificate /etc/harbor/tls/portal.crt;
|
||||||
|
ssl_certificate_key /etc/harbor/tls/portal.key;
|
||||||
|
|
||||||
|
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
||||||
|
ssl_protocols TLSv1.2;
|
||||||
|
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_session_cache shared:SSL:10m;
|
||||||
|
{% else %}
|
||||||
listen 8080;
|
listen 8080;
|
||||||
|
{% endif %}
|
||||||
server_name localhost;
|
server_name localhost;
|
||||||
|
|
||||||
root /usr/share/nginx/html;
|
root /usr/share/nginx/html;
|
@ -95,6 +95,7 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit
|
|||||||
configs = yaml.load(f)
|
configs = yaml.load(f)
|
||||||
|
|
||||||
config_dict = {
|
config_dict = {
|
||||||
|
'portal_url': 'http://portal:8080',
|
||||||
'registry_url': 'http://registry:5000',
|
'registry_url': 'http://registry:5000',
|
||||||
'registry_controller_url': 'http://registryctl:8080',
|
'registry_controller_url': 'http://registryctl:8080',
|
||||||
'core_url': 'http://core:8080',
|
'core_url': 'http://core:8080',
|
||||||
@ -346,6 +347,7 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit
|
|||||||
config_dict['internal_tls'] = InternalTLS()
|
config_dict['internal_tls'] = InternalTLS()
|
||||||
|
|
||||||
if config_dict['internal_tls'].enabled:
|
if config_dict['internal_tls'].enabled:
|
||||||
|
config_dict['portal_url'] = 'https://portal:8443'
|
||||||
config_dict['registry_url'] = 'https://registry:5443'
|
config_dict['registry_url'] = 'https://registry:5443'
|
||||||
config_dict['registry_controller_url'] = 'https://registryctl:8443'
|
config_dict['registry_controller_url'] = 'https://registryctl:8443'
|
||||||
config_dict['core_url'] = 'https://core:8443'
|
config_dict['core_url'] = 'https://core:8443'
|
||||||
|
18
make/photon/prepare/utils/portal.py
Normal file
18
make/photon/prepare/utils/portal.py
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
from g import config_dir, DEFAULT_GID, DEFAULT_UID, templates_dir
|
||||||
|
from utils.misc import prepare_dir
|
||||||
|
from utils.jinja import render_jinja
|
||||||
|
|
||||||
|
portal_config_dir = config_dir.joinpath("portal")
|
||||||
|
portal_conf_template_path = templates_dir.joinpath("portal", "nginx.conf.jinja")
|
||||||
|
portal_conf = config_dir.joinpath("portal", "nginx.conf")
|
||||||
|
|
||||||
|
def prepare_portal(config_dict):
|
||||||
|
prepare_dir(portal_config_dir, uid=DEFAULT_UID, gid=DEFAULT_GID)
|
||||||
|
|
||||||
|
# Render Jobservice config
|
||||||
|
render_jinja(
|
||||||
|
str(portal_conf_template_path),
|
||||||
|
portal_conf,
|
||||||
|
internal_tls=config_dict['internal_tls'],
|
||||||
|
uid=DEFAULT_UID,
|
||||||
|
gid=DEFAULT_GID)
|
Loading…
Reference in New Issue
Block a user