By default, The internal communication between Harbor’s component (harbor-core,harbor-jobservice,proxy,harbor-portal,registry,registryctl,trivy_adapter,chartmuseum) use HTTP protocol which might not be secure enough for some production environment. Since Harbor v2.0, TLS can be used for this internal network. In production environments, always use HTTPS is a recommended best practice.

    This functionality is introduced via the internal_tls in harbor.yml file. To enabled internal TLS, set enabled to true and set the dir value to the path of directory that contains the internal cert files.

    All certs can be automatically generated by prepare tool.

    1. docker run -v /:/hostfs goharbor/prepare:v2.1.0 gencert -p /path/to/internal/tls/cert

    User also can provide their own CA to generate the other certs. Just put certificate and key of the CA on internal tls cert directory and name them as harbor_internal_ca.key and harbor_internal_ca.crt. Besides, a user can also provide the certs for all components. However, there are some constraints for the certs:

    • First, all certs must be signed by a single unique CA
    • Second, the filename of the internal cert and CN field on cert file must follow the convention listed below’

    • Third, because the self signed certificate without SAN was deprecated in Golang 1.5, you must add the SAN extension to your cert files when generating certs by yourself or the Harbor instance will not start up normally. The DNS name in SAN extension should the same as CN field in the table below. For more information please refer to golang 1.5 release notes and this issue.

      nameusageCN
      harbor_internal_ca.keyca’s key file for internal TLSN/A
      harbor_internal_ca.crtca’s certificate file for internal TLSN/A
      core.keycore’s key fileN/A
      core.crtcore’s certificate filecore
      job_service.keyjob_service’s key fileN/A
      job_service.crtjob_service’s certificate filejobservice
      proxy.keyproxy’s key fileN/A
      proxy.crtproxy’s certificate fileproxy
      portal.keyportal’s key fileN/A
      portal.crtportal’s certificate fileportal
      registry.keyregistry’s key fileN/A
      registry.crtregistry’s certificate fileregistry
      registryctl.keyregistryctl’s key fileN/A
      registryctl.crtregistryctl’s certificate fileregistryctl
      notary_server.keynotary_server’s key fileN/A
      notary_server.crtnotary_server’s certificate filenotary-server
      notary_signer.keynotary_signer’s key fileN/A
      notary_signer.crtnotary_signer’s certificate filenotary-signer
      trivy_adapter.keytrivy_adapter.’s key fileN/A
      trivy_adapter.crttrivy_adapter.’s certificate filetrivy-adapter
      chartmuseum.keychartmuseum’s key fileN/A
      chartmuseum.crtchartmuseum’s certificate filechartmuseum