Configure Internal TLS communication between Harbor Component
By default, The internal communication between Harbor’s component (harbor-core,harbor-jobservice,proxy,harbor-portal,registry,registryctl,trivy_adapter,chartmuseum) use HTTP protocol which might not be secure enough for some production environment. Since Harbor v2.0, TLS can be used for this internal network. In production environments, always use HTTPS is a recommended best practice.
This functionality is introduced via the internal_tls
in harbor.yml
file. To enabled internal TLS, set enabled
to true
and set the dir
value to the path of directory that contains the internal cert files.
All certs can be automatically generated by prepare
tool.
docker run -v /:/hostfs goharbor/prepare:v2.3.x gencert -p /path/to/internal/tls/cert
Remember to replace the version number with the current version number.
User also can provide their own CA to generate the other certs. Just put certificate and key of the CA on internal tls cert directory and name them as harbor_internal_ca.key
and harbor_internal_ca.crt
.
Besides, a user can also provide the certs for all components. However, there are some constraints for the certs:
- First, all certs must be signed by a single unique CA
- Second, the filename of the internal cert and
CN
field on cert file must follow the convention listed below’ - Third, because the self signed certificate without SAN was deprecated in Golang 1.5, you must add the SAN extension to your cert files when generating certs by yourself or the Harbor instance will not start up normally. The DNS name in SAN extension should the same as CN field in the table below. For more information please refer to
golang 1.5 release notes and
this issue.
name usage CN harbor_internal_ca.key
ca’s key file for internal TLS N/A harbor_internal_ca.crt
ca’s certificate file for internal TLS N/A core.key
core’s key file N/A core.crt
core’s certificate file core
job_service.key
job_service’s key file N/A job_service.crt
job_service’s certificate file jobservice
proxy.key
proxy’s key file N/A proxy.crt
proxy’s certificate file proxy
portal.key
portal’s key file N/A portal.crt
portal’s certificate file portal
registry.key
registry’s key file N/A registry.crt
registry’s certificate file registry
registryctl.key
registryctl’s key file N/A registryctl.crt
registryctl’s certificate file registryctl
notary_server.key
notary_server’s key file N/A notary_server.crt
notary_server’s certificate file notary-server
notary_signer.key
notary_signer’s key file N/A notary_signer.crt
notary_signer’s certificate file notary-signer
trivy_adapter.key
trivy_adapter.’s key file N/A trivy_adapter.crt
trivy_adapter.’s certificate file trivy-adapter
chartmuseum.key
chartmuseum’s key file N/A chartmuseum.crt
chartmuseum’s certificate file chartmuseum
Contributing