mirror of
https://github.com/goharbor/harbor
synced 2024-09-21 06:27:41 +00:00
Feat: enable tls related thing to jobservice
Add tls related code in jobservice Signed-off-by: DQ <dengq@vmware.com>
This commit is contained in:
parent
da359f609f
commit
e6bb3b0977
|
@ -15,12 +15,13 @@
|
|||
package api
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"context"
|
||||
commonhttp "github.com/goharbor/harbor/src/common/http"
|
||||
"github.com/goharbor/harbor/src/jobservice/config"
|
||||
"github.com/goharbor/harbor/src/jobservice/logger"
|
||||
)
|
||||
|
@ -73,20 +74,11 @@ func NewServer(ctx context.Context, router Router, cfg ServerConfig) *Server {
|
|||
|
||||
// Initialize TLS/SSL config if protocol is https
|
||||
if cfg.Protocol == config.JobServiceProtocolHTTPS {
|
||||
tlsCfg := &tls.Config{
|
||||
MinVersion: tls.VersionTLS12,
|
||||
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
|
||||
PreferServerCipherSuites: true,
|
||||
CipherSuites: []uint16{
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||
},
|
||||
logger.Infof("https enabled, load trustCAs")
|
||||
srv.TLSConfig = &tls.Config{
|
||||
ClientAuth: tls.RequireAndVerifyClientCert,
|
||||
ClientCAs: commonhttp.GetInternalCA(nil),
|
||||
}
|
||||
|
||||
srv.TLSConfig = tlsCfg
|
||||
srv.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0)
|
||||
}
|
||||
|
||||
apiServer.httpServer = srv
|
||||
|
|
|
@ -15,6 +15,7 @@
|
|||
package hook
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
|
@ -24,7 +25,7 @@ import (
|
|||
"strings"
|
||||
"time"
|
||||
|
||||
"context"
|
||||
commonhttp "github.com/goharbor/harbor/src/common/http"
|
||||
)
|
||||
|
||||
// Client for handling the hook events
|
||||
|
@ -41,6 +42,10 @@ type basicClient struct {
|
|||
|
||||
// NewClient return the ptr of the new hook client
|
||||
func NewClient(ctx context.Context) Client {
|
||||
tlsConfig, err := commonhttp.GetInternalTLSConfig()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
// Create transport
|
||||
transport := &http.Transport{
|
||||
MaxIdleConns: 20,
|
||||
|
@ -53,6 +58,7 @@ func NewClient(ctx context.Context) Client {
|
|||
ResponseHeaderTimeout: 10 * time.Second,
|
||||
ExpectContinueTimeout: 1 * time.Second,
|
||||
Proxy: http.ProxyFromEnvironment,
|
||||
TLSClientConfig: tlsConfig,
|
||||
}
|
||||
|
||||
client := &http.Client{
|
||||
|
|
|
@ -60,13 +60,17 @@ func (wj *WebhookJob) init(ctx job.Context, params map[string]interface{}) error
|
|||
wj.logger = ctx.GetLogger()
|
||||
wj.ctx = ctx
|
||||
|
||||
// default insecureSkipVerify is false
|
||||
insecureSkipVerify := false
|
||||
// default use insecure transport
|
||||
tr := commonhttp.GetHTTPTransport(commonhttp.InsecureTransport)
|
||||
if v, ok := params["skip_cert_verify"]; ok {
|
||||
insecureSkipVerify = v.(bool)
|
||||
if insecure, ok := v.(bool); ok {
|
||||
if insecure {
|
||||
tr = commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
|
||||
}
|
||||
}
|
||||
}
|
||||
wj.client = &http.Client{
|
||||
Transport: commonhttp.GetHTTPTransport(insecureSkipVerify),
|
||||
Transport: tr,
|
||||
}
|
||||
|
||||
return nil
|
||||
|
|
|
@ -230,6 +230,7 @@ func (bs *Bootstrap) createAPIServer(ctx context.Context, cfg *config.Configurat
|
|||
Port: cfg.Port,
|
||||
}
|
||||
if cfg.HTTPSConfig != nil {
|
||||
serverConfig.Protocol = config.JobServiceProtocolHTTPS
|
||||
serverConfig.Cert = cfg.HTTPSConfig.Cert
|
||||
serverConfig.Key = cfg.HTTPSConfig.Key
|
||||
}
|
||||
|
|
|
@ -110,9 +110,14 @@ func (m *DefaultManager) policyHTTPTest(address string, skipCertVerify bool) err
|
|||
}
|
||||
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
|
||||
var tp *http.Transport
|
||||
if skipCertVerify {
|
||||
tp = commonhttp.GetHTTPTransport(commonhttp.InsecureTransport)
|
||||
} else {
|
||||
tp = commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
|
||||
}
|
||||
client := http.Client{
|
||||
Transport: commonhttp.GetHTTPTransport(skipCertVerify),
|
||||
Transport: tp,
|
||||
}
|
||||
|
||||
resp, err := client.Do(req)
|
||||
|
|
|
@ -15,14 +15,18 @@
|
|||
package util
|
||||
|
||||
import (
|
||||
"github.com/goharbor/harbor/src/internal"
|
||||
"net/http"
|
||||
"strings"
|
||||
|
||||
commonhttp "github.com/goharbor/harbor/src/common/http"
|
||||
)
|
||||
|
||||
// GetHTTPTransport can be used to share the common HTTP transport
|
||||
func GetHTTPTransport(insecure bool) *http.Transport {
|
||||
return internal.GetHTTPTransport(insecure)
|
||||
if insecure {
|
||||
return commonhttp.GetHTTPTransport(commonhttp.InsecureTransport)
|
||||
}
|
||||
return commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
|
||||
}
|
||||
|
||||
// ParseRepository parses the "repository" provided into two parts: namespace and the rest
|
||||
|
|
Loading…
Reference in New Issue
Block a user