Configure Internal TLS communication between Harbor Component

By default, the internal communication between Harbor’s components (harbor-core, harbor-jobservice, proxy,harbor-portal, registry, registryctl, trivy_adapter, clair_adapter, chartmuseum) use the HTTP protocol, which might not be secure enough for production environments. Since Harbor v2.0, TLS can be used for this internal network. In production environments, using HTTPS is a recommended best practice.

This functionality is implemented using the internal_tls parameter in the harbor.yml file. To enable internal TLS, set enabled to true and set the dir value to the path of directory that contains the internal cert files.

You can generate certs using the prepare tool.

docker run -v /:/hostfs goharbor/prepare:v2.0 gencert -p /path/to/internal/tls/cert

You can also provide your own CA to generate the other certs. To do this, put the certificate and key of the CA on internal tls cert directory, and name them harbor_internal_ca.key and harbor_internal_ca.crt. You can also provide the certs for all components. However, there are some constraints for the certs:

  • All certs must be signed by a single unique CA
  • The filename of the internal cert and CN field on cert file must follow the conventions in the following table:
    name usage CN
    harbor_internal_ca.key ca’s key file for internal TLS N/A
    harbor_internal_ca.crt ca’s certificate file for internal TLS N/A
    core.key core’s key file N/A
    core.crt core’s certificate file core
    job_service.key job_service’s key file N/A
    job_service.crt job_service’s certificate file jobservice
    proxy.key proxy’s key file N/A
    proxy.crt proxy’s certificate file proxy
    portal.key portal’s key file N/A
    portal.crt portal’s certificate file portal
    registry.key registry’s key file N/A
    registry.crt registry’s certificate file registry
    registryctl.key registryctl’s key file N/A
    registryctl.crt registryctl’s certificate file registryctl
    notary_server.key notary_server’s key file N/A
    notary_server.crt notary_server’s certificate file notary-server
    notary_signer.key notary_signer’s key file N/A
    notary_signer.crt notary_signer’s certificate file notary-signer
    trivy_adapter.key trivy_adapter.’s key file N/A
    trivy_adapter.crt trivy_adapter.’s certificate file trivy-adapter
    clair.key clair’s key file N/A
    clair.crt clair’s certificate file clair
    clair_adapter.key clair_adapter’s key file N/A
    clair_adapter.crt clair_adapter’s certificate file clair-adapter
    chartmuseum.key chartmuseum’s key file N/A
    chartmuseum.crt chartmuseum’s certificate file chartmuseum