Refator tls config

use default Httptransport instead of empty one
remove unused code

Signed-off-by: DQ <dengq@vmware.com>

src/common/http/client.go

@@ -16,7 +16,6 @@ package http
 
 import (
 	"bytes"
-	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"io"
@@ -30,11 +29,8 @@ import (
 )
 
 const (
-	// DefaultTransport used to get the default http Transport
-	DefaultTransport = iota
 	// InsecureTransport used to get the insecure http Transport
-	InsecureTransport
-
+	InsecureTransport = iota
 	// SecureTransport used to get the external secure http Transport
 	SecureTransport
 )
@@ -45,19 +41,9 @@ var (
 )
 
 func init() {
-	secureHTTPTransport = &http.Transport{
-		Proxy: http.ProxyFromEnvironment,
-		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: false,
-		},
-	}
-
-	insecureHTTPTransport = &http.Transport{
-		Proxy: http.ProxyFromEnvironment,
-		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: true,
-		},
-	}
+	secureHTTPTransport = http.DefaultTransport.(*http.Transport).Clone()
+	insecureHTTPTransport = http.DefaultTransport.(*http.Transport).Clone()
+	insecureHTTPTransport.TLSClientConfig.InsecureSkipVerify = true
 
 	if InternalTLSEnabled() {
 		tlsConfig, err := GetInternalTLSConfig()
@@ -88,6 +74,14 @@ func GetHTTPTransport(clientType uint) *http.Transport {
 	}
 }
 
+// GetHTTPTransportByInsecure returns a insecure HttpTransport if insecure is true or it returns secure one
+func GetHTTPTransportByInsecure(insecure bool) *http.Transport {
+	if insecure {
+		return insecureHTTPTransport
+	}
+	return secureHTTPTransport
+}
+
 // NewClient creates an instance of Client.
 // Use net/http.Client as the default value if c is nil.
 // Modifiers modify the request before sending it.
@@ -97,7 +91,7 @@ func NewClient(c *http.Client, modifiers ...modifier.Modifier) *Client {
 	}
 	if client.client == nil {
 		client.client = &http.Client{
-			Transport: GetHTTPTransport(DefaultTransport),
+			Transport: GetHTTPTransport(SecureTransport),
 		}
 	}
 	if len(modifiers) > 0 {

src/common/http/tls.go

@@ -16,13 +16,9 @@ package http
 
 import (
 	"crypto/tls"
-	"crypto/x509"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"strings"
-
-	"github.com/goharbor/harbor/src/common/utils/log"
 )
 
 const (
@@ -36,40 +32,12 @@ const (
 
 // InternalTLSEnabled returns if internal TLS enabled
 func InternalTLSEnabled() bool {
-	if strings.ToLower(os.Getenv(internalTLSEnable)) == "true" {
-		return true
-	}
-	return false
+	return strings.ToLower(os.Getenv(internalTLSEnable)) == "true"
 }
 
 // InternalEnableVerifyClientCert returns if mTLS enabled
 func InternalEnableVerifyClientCert() bool {
-	if strings.ToLower(os.Getenv(internalVerifyClientCert)) == "true" {
-		return true
-	}
-	return false
-}
-
-// GetInternalCA used to get internal cert file from Env
-func GetInternalCA(caPool *x509.CertPool) *x509.CertPool {
-	if caPool == nil {
-		caPool = x509.NewCertPool()
-	}
-
-	caPath := os.Getenv(internalTrustCAPath)
-	if caPath != "" {
-		caCert, err := ioutil.ReadFile(caPath)
-		if err != nil {
-			log.Errorf("read ca file %s failure %w", caPath, err)
-		}
-		if ok := caPool.AppendCertsFromPEM(caCert); !ok {
-			log.Errorf("append ca to ca pool fail")
-		} else {
-			log.Infof("append trustCA %s success", caPath)
-		}
-	}
-
-	return caPool
+	return strings.ToLower(os.Getenv(internalVerifyClientCert)) == "true"
 }
 
 // GetInternalCertPair used to get internal cert and key pair from environment

src/common/job/client.go

@@ -79,22 +79,16 @@ func NewDefaultClient(endpoint, secret string) *DefaultClient {
 
 // NewReplicationClient used to create a client for replication
 func NewReplicationClient(endpoint, secret string) *DefaultClient {
-	var tr *http.Transport
-	if endpoint == config.InternalCoreURL() {
-		tr = commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
-	} else {
-		tr = commonhttp.GetHTTPTransport(commonhttp.DefaultTransport)
-	}
-
 	var c *commonhttp.Client
+
 	if len(secret) > 0 {
 		c = commonhttp.NewClient(&http.Client{
-			Transport: tr,
+			Transport: commonhttp.GetHTTPTransport(commonhttp.SecureTransport),
 		},
 			auth.NewSecretAuthorizer(secret))
 	} else {
 		c = commonhttp.NewClient(&http.Client{
-			Transport: tr,
+			Transport: commonhttp.GetHTTPTransport(commonhttp.SecureTransport),
 		})
 	}
 

src/pkg/notification/policy/manager/manager.go

@@ -110,14 +110,8 @@ func (m *DefaultManager) policyHTTPTest(address string, skipCertVerify bool) err
 	}
 
 	req.Header.Set("Content-Type", "application/json")
-	var tp *http.Transport
-	if skipCertVerify {
-		tp = commonhttp.GetHTTPTransport(commonhttp.InsecureTransport)
-	} else {
-		tp = commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
-	}
 	client := http.Client{
-		Transport: tp,
+		Transport: commonhttp.GetHTTPTransportByInsecure(skipCertVerify),
 	}
 
 	resp, err := client.Do(req)

src/pkg/signature/notary/helper.go

@@ -82,7 +82,7 @@ func GetTargets(notaryEndpoint string, username string, fqRepo string) ([]model2
 	authorizer := &notaryAuthorizer{
 		token: t.Token,
 	}
-	tr := NewTransport(commonhttp.GetHTTPTransport(commonhttp.DefaultTransport), authorizer)
+	tr := NewTransport(commonhttp.GetHTTPTransport(commonhttp.SecureTransport), authorizer)
 	gun := data.GUN(fqRepo)
 	notaryRepo, err := client.NewFileCachedRepository(notaryCachePath, gun, notaryEndpoint, tr, mockRetriever, trustPin)
 	if err != nil {

src/replication/adapter/awsecr/adapter.go

@@ -245,18 +245,12 @@ func (a *adapter) createRepository(repository string) error {
 	if a.region == "" {
 		return errors.New("no region parsed")
 	}
-	var tr *http.Transport
-	if a.registry.Insecure {
-		tr = commonhttp.GetHTTPTransport(commonhttp.InsecureTransport)
-	} else {
-		tr = commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
-	}
 
 	config := &aws.Config{
 		Credentials: cred,
 		Region:      &a.region,
 		HTTPClient: &http.Client{
-			Transport: tr,
+			Transport: commonhttp.GetHTTPTransportByInsecure(a.registry.Insecure),
 		},
 	}
 	if a.forceEndpoint != nil {