From 03e11c63c7abf1bcf26b1aaaa80bafee53165062 Mon Sep 17 00:00:00 2001 From: DQ Date: Thu, 12 Mar 2020 02:13:58 +0800 Subject: [PATCH] Fix docker file with secure tls change Signed-off-by: DQ --- make/photon/core/Dockerfile | 10 ++++++++-- make/photon/core/Dockerfile.base | 2 +- make/photon/core/entrypoint.sh | 7 +++++++ make/photon/jobservice/Dockerfile | 10 ++++++++-- make/photon/jobservice/Dockerfile.base | 2 +- make/photon/jobservice/entrypoint.sh | 7 +++++++ make/photon/prepare/templates/core/env.jinja | 2 +- .../docker_compose/docker-compose.yml.jinja | 17 +++-------------- .../prepare/templates/jobservice/env.jinja | 3 ++- .../prepare/templates/registryctl/env.jinja | 2 +- src/common/http/client.go | 17 +++++++++++++---- src/common/http/tls.go | 4 ---- src/pkg/registry/client.go | 16 ++-------------- 13 files changed, 54 insertions(+), 45 deletions(-) create mode 100644 make/photon/core/entrypoint.sh create mode 100644 make/photon/jobservice/entrypoint.sh diff --git a/make/photon/core/Dockerfile b/make/photon/core/Dockerfile index 6ea45e847..e0e3e96af 100644 --- a/make/photon/core/Dockerfile +++ b/make/photon/core/Dockerfile @@ -2,12 +2,18 @@ ARG harbor_base_image_version FROM goharbor/harbor-core-base:${harbor_base_image_version} HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v2.0/ping || exit 1 +COPY ./make/photon/common/install_cert.sh /harbor/ +COPY ./make/photon/core/entrypoint.sh /harbor/ COPY ./make/photon/core/harbor_core /harbor/ COPY ./src/core/views /harbor/views COPY ./make/migrations /harbor/migrations -RUN chmod u+x /harbor/harbor_core +RUN chown -R harbor:harbor /etc/pki/tls/certs \ + && chown harbor:harbor /harbor/entrypoint.sh && chmod u+x /harbor/entrypoint.sh \ + && chown harbor:harbor /harbor/install_cert.sh && chmod u+x /harbor/install_cert.sh \ + && chown harbor:harbor /harbor/harbor_core && chmod u+x /harbor/harbor_core + WORKDIR /harbor/ USER harbor -ENTRYPOINT ["/harbor/harbor_core"] +ENTRYPOINT ["/harbor/entrypoint.sh"] COPY make/photon/prepare/versions /harbor/ diff --git a/make/photon/core/Dockerfile.base b/make/photon/core/Dockerfile.base index db9991d27..865834fad 100644 --- a/make/photon/core/Dockerfile.base +++ b/make/photon/core/Dockerfile.base @@ -2,5 +2,5 @@ FROM photon:2.0 RUN tdnf install sudo tzdata -y >> /dev/null \ && tdnf clean all \ - && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor \ + && groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor \ && mkdir /harbor/ diff --git a/make/photon/core/entrypoint.sh b/make/photon/core/entrypoint.sh new file mode 100644 index 000000000..40aa646a8 --- /dev/null +++ b/make/photon/core/entrypoint.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +set -e + +/harbor/install_cert.sh + +/harbor/harbor_core diff --git a/make/photon/jobservice/Dockerfile b/make/photon/jobservice/Dockerfile index eabfdc5ef..1ba469411 100644 --- a/make/photon/jobservice/Dockerfile +++ b/make/photon/jobservice/Dockerfile @@ -1,9 +1,15 @@ ARG harbor_base_image_version FROM goharbor/harbor-jobservice-base:${harbor_base_image_version} +COPY ./make/photon/common/install_cert.sh /harbor/ +COPY ./make/photon/jobservice/entrypoint.sh /harbor/ COPY ./make/photon/jobservice/harbor_jobservice /harbor/ -RUN chmod u+x /harbor/harbor_jobservice + +RUN chown -R harbor:harbor /etc/pki/tls/certs \ + && chown harbor:harbor /harbor/entrypoint.sh && chmod u+x /harbor/entrypoint.sh \ + && chown harbor:harbor /harbor/install_cert.sh && chmod u+x /harbor/install_cert.sh \ + && chown harbor:harbor /harbor/harbor_jobservice && chmod u+x /harbor/harbor_jobservice WORKDIR /harbor/ @@ -13,4 +19,4 @@ VOLUME ["/var/log/jobs/"] HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v1/stats || exit 1 -ENTRYPOINT ["/harbor/harbor_jobservice", "-c", "/etc/jobservice/config.yml"] +ENTRYPOINT ["/harbor/entrypoint.sh"] diff --git a/make/photon/jobservice/Dockerfile.base b/make/photon/jobservice/Dockerfile.base index 1ad223d45..5bbd68138 100644 --- a/make/photon/jobservice/Dockerfile.base +++ b/make/photon/jobservice/Dockerfile.base @@ -2,4 +2,4 @@ FROM photon:2.0 RUN tdnf install sudo tzdata -y >> /dev/null \ && tdnf clean all \ - && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor + && groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor diff --git a/make/photon/jobservice/entrypoint.sh b/make/photon/jobservice/entrypoint.sh new file mode 100644 index 000000000..9c442c8c6 --- /dev/null +++ b/make/photon/jobservice/entrypoint.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +set -e + +/harbor/install_cert.sh + +/harbor/harbor_jobservice -c /etc/jobservice/config.yml diff --git a/make/photon/prepare/templates/core/env.jinja b/make/photon/prepare/templates/core/env.jinja index 3e5c388e2..e67207a4e 100644 --- a/make/photon/prepare/templates/core/env.jinja +++ b/make/photon/prepare/templates/core/env.jinja @@ -57,5 +57,5 @@ NO_PROXY={{core_no_proxy}} INTERNAL_TLS_ENABLED=true INTERNAL_TLS_KEY_PATH=/etc/harbor/ssl/core.key INTERNAL_TLS_CERT_PATH=/etc/harbor/ssl/core.crt -INTERNAL_TLS_TRUST_CA_PATH=/etc/harbor/ssl/harbor_internal_ca.crt +INTERNAL_TLS_TRUST_CA_PATH=/harbor_cust_cert/harbor_internal_ca.crt {% endif %} \ No newline at end of file diff --git a/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja b/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja index 948fd3191..972599422 100644 --- a/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja +++ b/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja @@ -89,7 +89,7 @@ services: {%if internal_tls.enabled %} - type: bind source: {{internal_tls.harbor_internal_ca_crt_path}} - target: /etc/harbor/ssl/harbor_internal_ca.crt + target: /harbor_cust_cert/harbor_internal_ca.crt - type: bind source: {{internal_tls.registryctl_crt_path}} target: /etc/harbor/ssl/registryctl.crt @@ -121,17 +121,6 @@ services: - SETUID volumes: - {{data_volume}}/database:/var/lib/postgresql/data:z -{%if internal_tls.enabled %} - - type: bind - source: {{internal_tls.harbor_internal_ca_crt_path}} - target: /etc/harbor/ssl/harbor_internal_ca.crt - - type: bind - source: {{internal_tls.harbor_db_crt_path}} - target: /etc/harbor/ssl/harbor_db.crt - - type: bind - source: {{internal_tls.harbor_db_key_path}} - target: /etc/harbor/ssl/harbor_db.key -{% endif %} networks: harbor: {% if with_notary %} @@ -187,7 +176,7 @@ services: {%if internal_tls.enabled %} - type: bind source: {{internal_tls.harbor_internal_ca_crt_path}} - target: /etc/harbor/ssl/harbor_internal_ca.crt + target: /harbor_cust_cert/harbor_internal_ca.crt - type: bind source: {{internal_tls.core_crt_path}} target: /etc/harbor/ssl/core.crt @@ -267,7 +256,7 @@ services: {%if internal_tls.enabled %} - type: bind source: {{internal_tls.harbor_internal_ca_crt_path}} - target: /etc/harbor/ssl/harbor_internal_ca.crt + target: /harbor_cust_cert/harbor_internal_ca.crt - type: bind source: {{internal_tls.job_service_crt_path}} target: /etc/harbor/ssl/job_service.crt diff --git a/make/photon/prepare/templates/jobservice/env.jinja b/make/photon/prepare/templates/jobservice/env.jinja index 4c1d728d8..ace3eb6ea 100644 --- a/make/photon/prepare/templates/jobservice/env.jinja +++ b/make/photon/prepare/templates/jobservice/env.jinja @@ -1,4 +1,5 @@ CORE_SECRET={{core_secret}} +REGISTRY_URL={{registry_url}} JOBSERVICE_SECRET={{jobservice_secret}} CORE_URL={{core_url}} REGISTRY_CONTROLLER_URL={{registry_controller_url}} @@ -6,7 +7,7 @@ JOBSERVICE_WEBHOOK_JOB_MAX_RETRY={{notification_webhook_job_max_retry}} {%if internal_tls.enabled %} INTERNAL_TLS_ENABLED=true -INTERNAL_TLS_TRUST_CA_PATH=/etc/harbor/ssl/harbor_internal_ca.crt +INTERNAL_TLS_TRUST_CA_PATH=/harbor_cust_cert/harbor_internal_ca.crt INTERNAL_TLS_KEY_PATH=/etc/harbor/ssl/job_service.key INTERNAL_TLS_CERT_PATH=/etc/harbor/ssl/job_service.crt {% endif %} diff --git a/make/photon/prepare/templates/registryctl/env.jinja b/make/photon/prepare/templates/registryctl/env.jinja index 8ea2663b1..fbe31db66 100644 --- a/make/photon/prepare/templates/registryctl/env.jinja +++ b/make/photon/prepare/templates/registryctl/env.jinja @@ -2,7 +2,7 @@ CORE_SECRET={{core_secret}} JOBSERVICE_SECRET={{jobservice_secret}} {%if internal_tls.enabled %} INTERNAL_TLS_ENABLED=true -INTERNAL_TLS_TRUST_CA_PATH=/etc/harbor/ssl/harbor_internal_ca.crt +INTERNAL_TLS_TRUST_CA_PATH=/harbor_cust_cert/harbor_internal_ca.crt INTERNAL_TLS_KEY_PATH=/etc/harbor/ssl/registryctl.key INTERNAL_TLS_CERT_PATH=/etc/harbor/ssl/registryctl.crt {% endif %} diff --git a/src/common/http/client.go b/src/common/http/client.go index a63983682..397415797 100644 --- a/src/common/http/client.go +++ b/src/common/http/client.go @@ -16,6 +16,7 @@ package http import ( "bytes" + "crypto/tls" "encoding/json" "errors" "io" @@ -44,11 +45,19 @@ var ( ) func init() { + secureHTTPTransport = &http.Transport{ + Proxy: http.ProxyFromEnvironment, + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: false, + }, + } - secureHTTPTransport = http.DefaultTransport.(*http.Transport).Clone() - - insecureHTTPTransport = http.DefaultTransport.(*http.Transport).Clone() - insecureHTTPTransport.TLSClientConfig.InsecureSkipVerify = true + insecureHTTPTransport = &http.Transport{ + Proxy: http.ProxyFromEnvironment, + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, + }, + } if InternalTLSEnabled() { tlsConfig, err := GetInternalTLSConfig() diff --git a/src/common/http/tls.go b/src/common/http/tls.go index 1fa745086..83e3245e8 100644 --- a/src/common/http/tls.go +++ b/src/common/http/tls.go @@ -74,9 +74,6 @@ func GetInternalCertPair() (tls.Certificate, error) { // GetInternalTLSConfig return a tls.Config for internal https communicate func GetInternalTLSConfig() (*tls.Config, error) { - // generate ca pool - caCertPool := GetInternalCA(nil) - // genrate key pair cert, err := GetInternalCertPair() if err != nil { @@ -84,7 +81,6 @@ func GetInternalTLSConfig() (*tls.Config, error) { } return &tls.Config{ - RootCAs: caCertPool, Certificates: []tls.Certificate{cert}, }, nil } diff --git a/src/pkg/registry/client.go b/src/pkg/registry/client.go index 2ff282c74..f55d110a1 100644 --- a/src/pkg/registry/client.go +++ b/src/pkg/registry/client.go @@ -44,7 +44,7 @@ var ( Cli = func() Client { url, _ := config.RegistryURL() username, password := config.RegistryCredential() - return NewClient(url, username, password, true) + return NewClient(url, username, password, false) }() accepts = []string{ @@ -54,13 +54,6 @@ var ( schema2.MediaTypeManifest, schema1.MediaTypeSignedManifest, } - - localRegistryURL = map[string]bool{ - "http://registry:5000": true, - "https://registry:5443": true, - "http://core:8080": true, - "https://core:10443": true, - } ) // const definition @@ -112,9 +105,6 @@ func NewClient(url, username, password string, insecure bool) Client { } else { transportType = commonhttp.SecureTransport } - if _, ok := localRegistryURL[strings.TrimRight(url, "/")]; ok { - transportType = commonhttp.SecureTransport - } return &client{ url: url, @@ -133,9 +123,7 @@ func NewClientWithAuthorizer(url string, authorizer internal.Authorizer, insecur } else { transportType = commonhttp.SecureTransport } - if _, ok := localRegistryURL[strings.TrimRight(url, "/")]; ok { - transportType = commonhttp.SecureTransport - } + return &client{ url: url, authorizer: authorizer,