By default, the internal communication between Harbor’s components (harbor-core, harbor-jobservice, proxy,harbor-portal, registry, registryctl, trivy_adapter, clair_adapter, chartmuseum) use the HTTP protocol, which might not be secure enough for production environments. Since Harbor v2.0, TLS can be used for this internal network. In production environments, using HTTPS is a recommended best practice.

This functionality is implemented using the internal_tls parameter in the harbor.yml file. To enable internal TLS, set enabled to true and set the dir value to the path of directory that contains the internal cert files.

You can generate certs using the prepare tool.

docker run -v /:/hostfs goharbor/prepare:v2.0 gencert -p /path/to/internal/tls/cert

You can also provide your own CA to generate the other certs. To do this, put the certificate and key of the CA on internal tls cert directory, and name them harbor_internal_ca.key and harbor_internal_ca.crt. You can also provide the certs for all components. However, there are some constraints for the certs:

• All certs must be signed by a single unique CA
• The filename of the internal cert and CN field on cert file must follow the conventions in the following table:

  name	usage	CN
  harbor_internal_ca.key	ca’s key file for internal TLS	N/A
  harbor_internal_ca.crt	ca’s certificate file for internal TLS	N/A
  core.key	core’s key file	N/A
  core.crt	core’s certificate file	core
  job_service.key	job_service’s key file	N/A
  job_service.crt	job_service’s certificate file	jobservice
  proxy.key	proxy’s key file	N/A
  proxy.crt	proxy’s certificate file	proxy
  portal.key	portal’s key file	N/A
  portal.crt	portal’s certificate file	portal
  registry.key	registry’s key file	N/A
  registry.crt	registry’s certificate file	registry
  registryctl.key	registryctl’s key file	N/A
  registryctl.crt	registryctl’s certificate file	registryctl
  notary_server.key	notary_server’s key file	N/A
  notary_server.crt	notary_server’s certificate file	notary-server
  notary_signer.key	notary_signer’s key file	N/A
  notary_signer.crt	notary_signer’s certificate file	notary-signer
  trivy_adapter.key	trivy_adapter.’s key file	N/A
  trivy_adapter.crt	trivy_adapter.’s certificate file	trivy-adapter
  clair.key	clair’s key file	N/A
  clair.crt	clair’s certificate file	clair
  clair_adapter.key	clair_adapter’s key file	N/A
  clair_adapter.crt	clair_adapter’s certificate file	clair-adapter
  chartmuseum.key	chartmuseum’s key file	N/A
  chartmuseum.crt	chartmuseum’s certificate file	chartmuseum