Configure Internal TLS communication between Harbor Component
By default, the internal communication between Harbor’s components (harbor-core, harbor-jobservice, proxy,harbor-portal, registry, registryctl, trivy_adapter, clair_adapter, chartmuseum) use the HTTP protocol, which might not be secure enough for production environments. Since Harbor v2.0, TLS can be used for this internal network. In production environments, using HTTPS is a recommended best practice.
This functionality is implemented using the internal_tls parameter in the harbor.yml file. To enable internal TLS, set enabled to true and set the dir value to the path of directory that contains the internal cert files.
You can generate certs using the prepare tool.
docker run -v /:/hostfs goharbor/prepare:v2.0 gencert -p /path/to/internal/tls/cert
You can also provide your own CA to generate the other certs. To do this, put the certificate and key of the CA on internal tls cert directory, and name them harbor_internal_ca.key and harbor_internal_ca.crt.
You can also provide the certs for all components. However, there are some constraints for the certs:
All certs must be signed by a single unique CA
The filename of the internal cert and CN field on cert file must follow the conventions in the following table: