Feat: enable tls related thing to jobservice

Add tls related code in jobservice Signed-off-by: DQ <dengq@vmware.com>
2020-02-11 14:25:37 +08:00 · 2020-02-11 14:25:37 +08:00 · e6bb3b0977
parent da359f609f
commit e6bb3b0977
6 changed files with 35 additions and 23 deletions
--- a/src/jobservice/api/server.go
+++ b/src/jobservice/api/server.go
@ -15,12 +15,13 @@
 package api

 import (
+	"context"
 	"crypto/tls"
 	"fmt"
 	"net/http"
 	"time"

-	"context"
+	commonhttp "github.com/goharbor/harbor/src/common/http"
 	"github.com/goharbor/harbor/src/jobservice/config"
 	"github.com/goharbor/harbor/src/jobservice/logger"
 )
@ -73,20 +74,11 @@ func NewServer(ctx context.Context, router Router, cfg ServerConfig) *Server {

 	// Initialize TLS/SSL config if protocol is https
 	if cfg.Protocol == config.JobServiceProtocolHTTPS {
-		tlsCfg := &tls.Config{
-			MinVersion:               tls.VersionTLS12,
-			CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
-			PreferServerCipherSuites: true,
-			CipherSuites: []uint16{
-				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-				tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-				tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
-				tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-			},
+		logger.Infof("https enabled, load trustCAs")
+		srv.TLSConfig = &tls.Config{
+			ClientAuth: tls.RequireAndVerifyClientCert,
+			ClientCAs:  commonhttp.GetInternalCA(nil),
 		}
-
-		srv.TLSConfig = tlsCfg
-		srv.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0)
 	}

 	apiServer.httpServer = srv
--- a/src/jobservice/hook/hook_client.go
+++ b/src/jobservice/hook/hook_client.go
@ -15,6 +15,7 @@
 package hook

 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
@ -24,7 +25,7 @@ import (
 	"strings"
 	"time"

-	"context"
+	commonhttp "github.com/goharbor/harbor/src/common/http"
 )

 // Client for handling the hook events
@ -41,6 +42,10 @@ type basicClient struct {

 // NewClient return the ptr of the new hook client
 func NewClient(ctx context.Context) Client {
+	tlsConfig, err := commonhttp.GetInternalTLSConfig()
+	if err != nil {
+		panic(err)
+	}
 	// Create transport
 	transport := &http.Transport{
 		MaxIdleConns:    20,
@ -53,6 +58,7 @@ func NewClient(ctx context.Context) Client {
 		ResponseHeaderTimeout: 10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 		Proxy:                 http.ProxyFromEnvironment,
+		TLSClientConfig:       tlsConfig,
 	}

 	client := &http.Client{
--- a/src/jobservice/job/impl/notification/webhook_job.go
+++ b/src/jobservice/job/impl/notification/webhook_job.go
@ -60,13 +60,17 @@ func (wj *WebhookJob) init(ctx job.Context, params map[string]interface{}) error
 	wj.logger = ctx.GetLogger()
 	wj.ctx = ctx

-	// default insecureSkipVerify is false
-	insecureSkipVerify := false
+	// default use insecure transport
+	tr := commonhttp.GetHTTPTransport(commonhttp.InsecureTransport)
 	if v, ok := params["skip_cert_verify"]; ok {
-		insecureSkipVerify = v.(bool)
+		if insecure, ok := v.(bool); ok {
+			if insecure {
+				tr = commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
+			}
+		}
 	}
 	wj.client = &http.Client{
-		Transport: commonhttp.GetHTTPTransport(insecureSkipVerify),
+		Transport: tr,
 	}

 	return nil
--- a/src/jobservice/runtime/bootstrap.go
+++ b/src/jobservice/runtime/bootstrap.go
@ -230,6 +230,7 @@ func (bs *Bootstrap) createAPIServer(ctx context.Context, cfg *config.Configurat
 		Port:     cfg.Port,
 	}
 	if cfg.HTTPSConfig != nil {
+		serverConfig.Protocol = config.JobServiceProtocolHTTPS
 		serverConfig.Cert = cfg.HTTPSConfig.Cert
 		serverConfig.Key = cfg.HTTPSConfig.Key
 	}
--- a/src/pkg/notification/policy/manager/manager.go
+++ b/src/pkg/notification/policy/manager/manager.go
@ -110,9 +110,14 @@ func (m *DefaultManager) policyHTTPTest(address string, skipCertVerify bool) err
 	}

 	req.Header.Set("Content-Type", "application/json")
-
+	var tp *http.Transport
+	if skipCertVerify {
+		tp = commonhttp.GetHTTPTransport(commonhttp.InsecureTransport)
+	} else {
+		tp = commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
+	}
 	client := http.Client{
-		Transport: commonhttp.GetHTTPTransport(skipCertVerify),
+		Transport: tp,
 	}

 	resp, err := client.Do(req)
--- a/src/replication/util/util.go
+++ b/src/replication/util/util.go
@ -15,14 +15,18 @@
 package util

 import (
-	"github.com/goharbor/harbor/src/internal"
 	"net/http"
 	"strings"
+
+	commonhttp "github.com/goharbor/harbor/src/common/http"
 )

 // GetHTTPTransport can be used to share the common HTTP transport
 func GetHTTPTransport(insecure bool) *http.Transport {
-	return internal.GetHTTPTransport(insecure)
+	if insecure {
+		return commonhttp.GetHTTPTransport(commonhttp.InsecureTransport)
+	}
+	return commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
 }

 // ParseRepository parses the "repository" provided into two parts: namespace and the rest