mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-24 17:47:46 +01:00
49 lines
2.9 KiB
Markdown
49 lines
2.9 KiB
Markdown
|
---
|
||
|
title: Configure Internal TLS communication between Harbor Component
|
||
|
weight: 30
|
||
|
---
|
||
|
|
||
|
By default, The internal communication between Harbor's component (harbor-core,harbor-jobservice,proxy,harbor-portal,registry,registryctl,trivy_adapter,clair_adapter,chartmuseum) use HTTP protocol which might not be secure enough for some production environment. Since Harbor v2.0, TLS can be used for this internal network. In production environments, always use HTTPS is a recommended best practice.
|
||
|
|
||
|
This functionality is introduced via the `internal_tls` in `harbor.yml` file. To enabled internal TLS, set `enabled` to `true` and set the `dir` value to the path of directory that contains the internal cert files.
|
||
|
|
||
|
All certs can be automatically generated by `prepare` tool.
|
||
|
```bash
|
||
|
docker run -v /:/hostfs goharbor/prepare:v2.0 gencert -p /path/to/internal/tls/cert
|
||
|
```
|
||
|
|
||
|
User also can provide their own CA to generate the other certs. Just put certificate and key of the CA on internal tls cert directory and name them as `harbor_internal_ca.key` and `harbor_internal_ca.crt`.
|
||
|
Besides, a user can also provide the certs for all components. However, there are some constraints for the certs:
|
||
|
|
||
|
* First, all certs must be signed by a single unique CA
|
||
|
* Second, the filename of the internal cert and `CN` field on cert file must follow the convention listed below'
|
||
|
|
||
|
|name|usage|CN|
|
||
|
|---|---|---|
|
||
|
|`harbor_internal_ca.key`| ca's key file for internal TLS | N/A |
|
||
|
|`harbor_internal_ca.crt`| ca's certificate file for internal TLS | N/A |
|
||
|
|`core.key`| core's key file | N/A |
|
||
|
|`core.crt`| core's certificate file| `core` |
|
||
|
|`job_service.key`| job_service's key file | N/A |
|
||
|
|`job_service.crt`| job_service's certificate file| `jobservice` |
|
||
|
|`proxy.key`| proxy's key file | N/A |
|
||
|
|`proxy.crt`| proxy's certificate file| `proxy` |
|
||
|
|`portal.key`| portal's key file | N/A |
|
||
|
|`portal.crt`| portal's certificate file| `portal` |
|
||
|
|`registry.key`| registry's key file | N/A |
|
||
|
|`registry.crt`| registry's certificate file| `registry` |
|
||
|
|`registryctl.key`| registryctl's key file | N/A |
|
||
|
|`registryctl.crt`| registryctl's certificate file| `registryctl` |
|
||
|
|`notary_server.key`| notary_server's key file | N/A |
|
||
|
|`notary_server.crt`| notary_server's certificate file| `notary-server` |
|
||
|
|`notary_signer.key`| notary_signer's key file | N/A |
|
||
|
|`notary_signer.crt`| notary_signer's certificate file| `notary-signer` |
|
||
|
|`trivy_adapter.key`| trivy_adapter.'s key file | N/A |
|
||
|
|`trivy_adapter.crt`| trivy_adapter.'s certificate file| `trivy-adapter` |
|
||
|
|`clair.key`| clair's key file | N/A |
|
||
|
|`clair.crt`| clair's certificate file| `clair` |
|
||
|
|`clair_adapter.key`| clair_adapter's key file | N/A |
|
||
|
|`clair_adapter.crt`| clair_adapter's certificate file| `clair-adapter` |
|
||
|
|`chartmuseum.key`| chartmuseum's key file | N/A |
|
||
|
|`chartmuseum.crt`| chartmuseum's certificate file| `chartmuseum` |
|