From c5d73e6a0c3064e35ebba47a8fa86a66f44020c5 Mon Sep 17 00:00:00 2001
From: DQ <dengq@vmware.com>
Date: Mon, 16 Mar 2020 23:20:05 +0800
Subject: [PATCH] Add switch to https

use switch to make decision whether mTLS or server TLS

Signed-off-by: DQ <dengq@vmware.com>
---
 make/harbor.yml.tmpl                 |  5 ++++-
 make/photon/prepare/models.py        | 16 ++++++++++------
 make/photon/prepare/utils/configs.py | 21 ++++++++++++++-------
 tests/hostcfg.sh                     |  5 ++++-
 4 files changed, 32 insertions(+), 15 deletions(-)

diff --git a/make/harbor.yml.tmpl b/make/harbor.yml.tmpl
index 8d7d1d16f..a131068e0 100644
--- a/make/harbor.yml.tmpl
+++ b/make/harbor.yml.tmpl
@@ -17,7 +17,10 @@ https:
   certificate: /your/certificate/path
   private_key: /your/private/key/path
 
-# internal_tls: /etc/harbor/tls/internal
+# internal_tls:
+#   enabled: true
+#   verify_client_cert: false
+#   dir: /etc/harbor/tls/internal
 
 # Uncomment external_url if you want to enable external proxy
 # And when it enabled the hostname will no longer used
diff --git a/make/photon/prepare/models.py b/make/photon/prepare/models.py
index 534b79389..f007fef25 100644
--- a/make/photon/prepare/models.py
+++ b/make/photon/prepare/models.py
@@ -23,6 +23,11 @@ class InternalTLS:
         'clair.crt', 'clair.key'
     }
 
+    trivy_certs_filename = {
+        'trivy_adapter.crt', 'trivy_adapter.key',
+        'trivy.crt', 'trivy.key'
+    }
+
     notary_certs_filename = {
         'notary_signer.crt', 'notary_signer.key',
         'notary_server.crt', 'notary_server.key'
@@ -37,13 +42,12 @@ class InternalTLS:
         'harbor_db.crt', 'harbor_db.key'
     }
 
-    def __init__(self, tls_dir: str, data_volume:str, **kwargs):
+    def __init__(self, tls_enabled=False, verify_client_cert=False, tls_dir='', data_volume='', **kwargs):
         self.data_volume = data_volume
-        if not tls_dir:
-            self.enabled = False
-        else:
-            self.enabled = True
-            self.tls_dir = tls_dir
+        self.verify_client_cert = verify_client_cert
+        self.enabled = tls_enabled
+        self.tls_dir = tls_dir
+        if self.enabled:
             self.required_filenames = self.harbor_certs_filename
             if kwargs.get('with_clair'):
                 self.required_filenames.update(self.clair_certs_filename)
diff --git a/make/photon/prepare/utils/configs.py b/make/photon/prepare/utils/configs.py
index 5332a1136..1eeacfb9f 100644
--- a/make/photon/prepare/utils/configs.py
+++ b/make/photon/prepare/utils/configs.py
@@ -335,14 +335,20 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit
     config_dict['registry_username'] = REGISTRY_USER_NAME
     config_dict['registry_password'] = generate_random_string(32)
 
+    internal_tls_config = configs['internal_tls']
     # TLS related configs
-    config_dict['internal_tls'] = InternalTLS(
-        configs.get('internal_tls') or '',
-        configs['data_volume'],
-        with_notary=with_notary,
-        with_clair=with_clair,
-        with_chartmuseum=with_chartmuseum,
-        external_database=config_dict['external_database'])
+    if internal_tls_config.get('enabled'):
+        config_dict['internal_tls'] = InternalTLS(
+            internal_tls_config['enabled'],
+            internal_tls_config['verify_client_cert'],
+            internal_tls_config['dir'],
+            configs['data_volume'],
+            with_notary=with_notary,
+            with_clair=with_clair,
+            with_chartmuseum=with_chartmuseum,
+            external_database=config_dict['external_database'])
+    else:
+        config_dict['internal_tls'] = InternalTLS()
 
     if config_dict['internal_tls'].enabled:
         config_dict['registry_url'] = 'https://registry:5443'
@@ -352,6 +358,7 @@ def parse_yaml_config(config_file_path, with_notary, with_clair, with_trivy, wit
         config_dict['token_service_url'] = 'https://core:8443/service/token'
         config_dict['jobservice_url'] = 'https://jobservice:8443'
         config_dict['clair_adapter_url'] = 'https://clair-adapter:8443'
+        # config_dict['trivy_adapter_url'] = 'http://trivy-adapter:8443'
         # config_dict['notary_url'] = 'http://notary-server:4443'
         config_dict['chart_repository_url'] = 'https://chartmuseum:9443'
 
diff --git a/tests/hostcfg.sh b/tests/hostcfg.sh
index 3bee2e364..6ba8f416e 100755
--- a/tests/hostcfg.sh
+++ b/tests/hostcfg.sh
@@ -5,7 +5,10 @@ IP=`ip addr s eth0 |grep "inet "|awk '{print $2}' |awk -F "/" '{print $1}'`
 sudo sed "s/reg.mydomain.com/$IP/" make/harbor.yml.tmpl |sudo tee make/harbor.yml
 
 # enable internal tls
-echo "internal_tls: /etc/harbor/tls/internal" >> make/harbor.yml
+echo "internal_tls:" >> make/harbor.yml
+echo "  enabled: true" >> make/harbor.yml
+echo "  verify_client_cert: true" >> make/harbor.yml
+echo "  dir: /etc/harbor/tls/internal" >> make/harbor.yml
 
 # TODO: remove it when scanner adapter support internal access of harbor
 echo "storage_service:" >> make/harbor.yml