Add switch to https

use switch to make decision whether mTLS or server TLS

Signed-off-by: DQ <dengq@vmware.com>

make/harbor.yml.tmpl

@@ -17,7 +17,10 @@ https:
   certificate: /your/certificate/path
   private_key: /your/private/key/path
 
-# internal_tls: /etc/harbor/tls/internal
+# internal_tls:
+#   enabled: true
+#   verify_client_cert: false
+#   dir: /etc/harbor/tls/internal
 
 # Uncomment external_url if you want to enable external proxy
 # And when it enabled the hostname will no longer used

make/photon/prepare/models.py

@@ -23,6 +23,11 @@ class InternalTLS:
         'clair.crt', 'clair.key'
     }
 
+    trivy_certs_filename = {
+        'trivy_adapter.crt', 'trivy_adapter.key',
+        'trivy.crt', 'trivy.key'
+    }
+
     notary_certs_filename = {
         'notary_signer.crt', 'notary_signer.key',
         'notary_server.crt', 'notary_server.key'
@@ -37,13 +42,12 @@ class InternalTLS:
         'harbor_db.crt', 'harbor_db.key'
     }
 
-    def __init__(self, tls_dir: str, data_volume:str, **kwargs):
+    def __init__(self, tls_enabled=False, verify_client_cert=False, tls_dir='', data_volume='', **kwargs):
         self.data_volume = data_volume
-        if not tls_dir:
-            self.enabled = False
-        else:
-            self.enabled = True
-            self.tls_dir = tls_dir
+        self.verify_client_cert = verify_client_cert
+        self.enabled = tls_enabled
+        self.tls_dir = tls_dir
+        if self.enabled:
             self.required_filenames = self.harbor_certs_filename
             if kwargs.get('with_clair'):
                 self.required_filenames.update(self.clair_certs_filename)

make/photon/prepare/utils/configs.py

@@ -335,14 +335,20 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit
     config_dict['registry_username'] = REGISTRY_USER_NAME
     config_dict['registry_password'] = generate_random_string(32)
 
+    internal_tls_config = configs['internal_tls']
     # TLS related configs
-    config_dict['internal_tls'] = InternalTLS(
-        configs.get('internal_tls') or '',
-        configs['data_volume'],
-        with_notary=with_notary,
-        with_clair=with_clair,
-        with_chartmuseum=with_chartmuseum,
-        external_database=config_dict['external_database'])
+    if internal_tls_config.get('enabled'):
+        config_dict['internal_tls'] = InternalTLS(
+            internal_tls_config['enabled'],
+            internal_tls_config['verify_client_cert'],
+            internal_tls_config['dir'],
+            configs['data_volume'],
+            with_notary=with_notary,
+            with_clair=with_clair,
+            with_chartmuseum=with_chartmuseum,
+            external_database=config_dict['external_database'])
+    else:
+        config_dict['internal_tls'] = InternalTLS()
 
     if config_dict['internal_tls'].enabled:
         config_dict['registry_url'] = 'https://registry:5443'
@@ -352,6 +358,7 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit
         config_dict['token_service_url'] = 'https://core:8443/service/token'
         config_dict['jobservice_url'] = 'https://jobservice:8443'
         config_dict['clair_adapter_url'] = 'https://clair-adapter:8443'
+        # config_dict['trivy_adapter_url'] = 'http://trivy-adapter:8443'
         # config_dict['notary_url'] = 'http://notary-server:4443'
         config_dict['chart_repository_url'] = 'https://chartmuseum:9443'
 

tests/hostcfg.sh

@@ -5,7 +5,10 @@ IP=`ip addr s eth0 |grep "inet "|awk '{print $2}' |awk -F "/" '{print $1}'`
 sudo sed "s/reg.mydomain.com/$IP/" make/harbor.yml.tmpl |sudo tee make/harbor.yml
 
 # enable internal tls
-echo "internal_tls: /etc/harbor/tls/internal" >> make/harbor.yml
+echo "internal_tls:" >> make/harbor.yml
+echo "  enabled: true" >> make/harbor.yml
+echo "  verify_client_cert: true" >> make/harbor.yml
+echo "  dir: /etc/harbor/tls/internal" >> make/harbor.yml
 
 # TODO: remove it when scanner adapter support internal access of harbor
 echo "storage_service:" >> make/harbor.yml