Merge pull request #9550 from ninjadq/enable_https_by_default

Enable https by default

make/harbor.yml

@@ -10,12 +10,12 @@ http:
   port: 80
 
 # https related config
-# https:
-#   # https port for harbor, default is 443
-#   port: 443
-#   # The path of cert and key files for nginx
-#   certificate: /your/certificate/path
-#   private_key: /your/private/key/path
+https:
+  # https port for harbor, default is 443
+  port: 443
+  # The path of cert and key files for nginx
+  certificate: /your/certificate/path
+  private_key: /your/private/key/path
 
 # Uncomment external_url if you want to enable external proxy
 # And when it enabled the hostname will no longer used

make/install.sh

@@ -29,8 +29,8 @@ while [ $# -gt 0 ]; do
             with_notary=true;;
             --with-clair)
             with_clair=true;;
-			--with-chartmuseum)
-			with_chartmuseum=true;;
+            --with-chartmuseum)
+            with_chartmuseum=true;;
             *)
             note "$usage"
             exit 1;;
@@ -41,37 +41,27 @@ done
 workdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 cd $workdir
 
-# The hostname in harbor.yml has not been modified
-if grep '^[[:blank:]]*hostname: reg.mydomain.com' &> /dev/null harbor.yml
-then
-	warn "$usage"
-	exit 1
-fi
-
-h2 "[Step $item]: checking installation environment ..."; let item+=1
+h2 "[Step $item]: checking if docker is installed ..."; let item+=1
 check_docker
-check_dockercompose
 
-if [ -f harbor*.tar.gz ]
-then
-	h2 "[Step $item]: loading Harbor images ..."; let item+=1
-	docker load -i ./harbor*.tar.gz
-fi
-echo ""
+h2 "[Step $item]: checking docker-compose is installed ..."; let item+=1
+check_dockercompose
 
 h2 "[Step $item]: preparing environment ...";  let item+=1
 if [ -n "$host" ]
 then
-	sed "s/^hostname: .*/hostname: $host/g" -i ./harbor.yml
+    sed "s/^hostname: .*/hostname: $host/g" -i ./harbor.yml
 fi
+
+h2 "[Step $item]: preparing harbor configs ...";  let item+=1
 prepare_para=
 if [ $with_notary ] 
 then
-	prepare_para="${prepare_para} --with-notary"
+    prepare_para="${prepare_para} --with-notary"
 fi
 if [ $with_clair ]
 then
-	prepare_para="${prepare_para} --with-clair"
+    prepare_para="${prepare_para} --with-clair"
 fi
 if [ $with_chartmuseum ]
 then
@@ -81,32 +71,21 @@ fi
 ./prepare $prepare_para
 echo ""
 
+if [ -f harbor*.tar.gz ]
+then
+    h2 "[Step $item]: loading Harbor images ..."; let item+=1
+    docker load -i ./harbor*.tar.gz
+fi
+echo ""
+
 if [ -n "$(docker-compose ps -q)"  ]
 then
-	note "stopping existing Harbor instance ..." 
-	docker-compose down -v
+    note "stopping existing Harbor instance ..." 
+    docker-compose down -v
 fi
 echo ""
 
 h2 "[Step $item]: starting Harbor ..."
 docker-compose up -d
 
-protocol=http
-hostname=reg.mydomain.com
-
-if [ -n "$(grep '^[^#]*https:' ./harbor.yml)" ]
-then
-protocol=https
-fi
-
-if [[ $(grep '^[[:blank:]]*hostname:' ./harbor.yml) =~ hostname:[[:blank:]]*(.*) ]]
-then
-hostname=${BASH_REMATCH[1]}
-fi
-echo ""
-
-success $"----Harbor has been installed and started successfully.----
-
-Now you should be able to visit the admin portal at ${protocol}://${hostname}. 
-For more details, please visit https://github.com/goharbor/harbor .
-"
+success $"----Harbor has been installed and started successfully.----"

make/photon/prepare/main.py

@@ -31,7 +31,10 @@ def main(conf, with_notary, with_clair, with_chartmuseum):
 
     delfile(config_dir)
     config_dict = parse_yaml_config(conf, with_notary=with_notary, with_clair=with_clair, with_chartmuseum=with_chartmuseum)
-    validate(config_dict, notary_mode=with_notary)
+    try:
+        validate(config_dict, notary_mode=with_notary)
+    except Exception as e:
+        print("Config validation Error: ", e)
 
     prepare_log_configs(config_dict)
     prepare_nginx(config_dict)

make/photon/prepare/utils/configs.py

@@ -1,20 +1,31 @@
 import yaml
+import logging
 from g import versions_file_path
 from .misc import generate_random_string
 
 default_db_max_idle_conns = 2  # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxIdleConns
 default_db_max_open_conns = 0  # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxOpenConns
+default_https_cert_path = '/your/certificate/path'
+default_https_key_path = '/your/certificate/path'
+def validate(conf: dict, **kwargs):
+    # hostname validate
+    if conf.get('hostname') == '127.0.0.1':
+        raise Exception("127.0.0.1 can not be the hostname")
+    if conf.get('hostname') == 'reg.mydomain.com':
+        raise Exception("Please specify hostname")
 
-def validate(conf, **kwargs):
+    # protocol validate
     protocol = conf.get("protocol")
     if protocol != "https" and kwargs.get('notary_mode'):
         raise Exception(
             "Error: the protocol must be https when Harbor is deployed with Notary")
     if protocol == "https":
-        if not conf.get("cert_path"):
+        if not conf.get("cert_path") or conf["cert_path"] == default_https_cert_path:
             raise Exception("Error: The protocol is https but attribute ssl_cert is not set")
-        if not conf.get("cert_key_path"):
+        if not conf.get("cert_key_path") or conf['cert_key_path'] == default_https_key_path:
             raise Exception("Error: The protocol is https but attribute ssl_cert_key is not set")
+    if protocol == "http":
+        logging.warning("WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https")
 
     # log endpoint validate
     if ('log_ep_host' in conf) and not conf['log_ep_host']:

tests/hostcfg.sh

@@ -4,6 +4,9 @@ IP=`ip addr s eth0 |grep "inet "|awk '{print $2}' |awk -F "/" '{print $1}'`
 #echo $IP
 sudo sed "s/reg.mydomain.com/$IP/" -i make/harbor.yml
 
-echo "https:" >> make/harbor.yml
-echo "  certificate: /data/cert/server.crt" >> make/harbor.yml
-echo "  private_key: /data/cert/server.key" >> make/harbor.yml
+# TODO: remove it when scanner adapter support internal access of harbor
+echo "storage_service:" >> make/harbor.yml
+echo "  ca_bundle: /data/cert/server.crt" >> make/harbor.yml
+
+sed "s|/your/certificate/path|/data/cert/server.crt|g" -i make/harbor.yml
+sed "s|/your/private/key/path|/data/cert/server.key|g" -i make/harbor.yml