Configure Internal TLS communication between Harbor Component
By default, the internal communication between Harbor’s components (harbor-core
, harbor-jobservice
, proxy
, harbor-portal
, registry
, registryctl
, trivy_adapter
, chartmuseum
) uses HTTP protocol which might not be secure enough for some production environment. Since Harbor v2.0, TLS can be used for this internal network. In production environments, always using HTTPS is a recommended best practice.
This functionality is introduced via the internal_tls
in harbor.yml
file. To enable internal TLS, set enabled
to true
and set the dir
value to the path to the directory that contains the internal cert files.
All certs can be automatically generated by prepare
tool.
docker run -v /:/hostfs goharbor/prepare:<current_harbor_version> gencert -p /path/to/internal/tls/cert
Users can also provide their own CA to generate the other certs. Just place the CA certificate and key in the internal TLS certificate directory and name them harbor_internal_ca.key
and harbor_internal_ca.crt
.
Besides, a user can also provide the certs for all components. However, there are some constraints for the certs:
- First, all certs must be signed by a single unique CA
- Second, the filename of the internal cert and
CN
field on cert file must follow the convention listed below. - Third, because self-signed certificates without SAN were deprecated in Golang 1.15, you must add the SAN extension to your certificates when generating them yourself, otherwise the Harbor instance will not start normally. The DNS name in SAN extension should the same as CN field in the table below. For more information please refer to golang 1.5 release notes and this issue.
name | usage | CN |
---|---|---|
harbor_internal_ca.key |
CA’s key file for internal TLS | N/A |
harbor_internal_ca.crt |
CA’s certificate file for internal TLS | N/A |
core.key |
core’s key file | N/A |
core.crt |
core’s certificate file | core |
job_service.key |
job_service’s key file | N/A |
job_service.crt |
job_service’s certificate file | jobservice |
proxy.key |
proxy’s key file | N/A |
proxy.crt |
proxy’s certificate file | proxy |
portal.key |
portal’s key file | N/A |
portal.crt |
portal’s certificate file | portal |
registry.key |
registry’s key file | N/A |
registry.crt |
registry’s certificate file | registry |
registryctl.key |
registryctl’s key file | N/A |
registryctl.crt |
registryctl’s certificate file | registryctl |
trivy_adapter.key |
trivy_adapter’s key file | N/A |
trivy_adapter.crt |
trivy_adapter’s certificate file | trivy-adapter |
Contributing