From d1fae0005d26b0794f6c0898553b992f25a15fdd Mon Sep 17 00:00:00 2001 From: Stuart Clements Date: Wed, 18 Dec 2019 10:34:58 +0100 Subject: [PATCH] Rewrites --- .../installation/configure_https.md | 30 +++++++++++-------- .../installation/download_installer.md | 11 +++---- .../installation/installation_prereqs.md | 6 ++-- 3 files changed, 27 insertions(+), 20 deletions(-) diff --git a/docs/harbor-doc-reorg/install_config/installation/configure_https.md b/docs/harbor-doc-reorg/install_config/installation/configure_https.md index f43794c56..eb7eaa821 100644 --- a/docs/harbor-doc-reorg/install_config/installation/configure_https.md +++ b/docs/harbor-doc-reorg/install_config/installation/configure_https.md @@ -6,27 +6,33 @@ By default, Harbor does not ship with certificates. It is possible to deploy Harbor without security, so that you can connect to it over HTTP. However, using HTTP is acceptable only in air-gapped test or development environments that do not have a connection to the external internet. Using HTTP in environments that are not air-gapped exposes you to man-in-the-middle attacks. In production environments, always use HTTPS. If you enable Content Trust with Notary to properly sign all images, you must use HTTPS. -To configure HTTPS, you must create SSL certificates. You can use certificates that are signed by a trusted third-party CA, or you can use self-signed certificates. This section describes how to use OpenSSL to create a CA, and how to use your CA to sign a server certificate and a client certificate. +To configure HTTPS, you must create SSL certificates. You can use certificates that are signed by a trusted third-party CA, or you can use self-signed certificates. This section describes how to use [OpenSSL](https://www.openssl.org/) to create a CA, and how to use your CA to sign a server certificate and a client certificate. You can use other CA providers, for example [Let's Encrypt](https://letsencrypt.org/). Harbor uses an `nginx` instance as a reverse proxy for all services. You use the `prepare` script to configure `nginx` to enable HTTPS. -## Getting Certificate Authority +## Generate a Certificate Authority Certificate -``` - openssl genrsa -out ca.key 4096 -``` -``` - openssl req -x509 -new -nodes -sha512 -days 3650 \ +To generate a CA certficate, run the following commands. In a production environment, you first should obtain a certificate from a CA. In a test or development environment, you can generate your own CA. + +1. Generate a CA certificate private key. + + ``` + openssl genrsa -out ca.key 4096 + ``` +1. Generate the CA certificate. + + Adapt the values in the `-subj` option to reflect your organization. + + ``` + openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \ -key ca.key \ -out ca.crt -``` - -## Getting Server Certificate - -Assuming that your registry's **hostname** is **yourdomain.com**, and that its DNS record points to the host where you are running Harbor. In production environment, you first should get a certificate from a CA. In a test or development environment, you can use your own CA. The certificate usually contains a .crt file and a .key file, for example, **yourdomain.com.crt** and **yourdomain.com.key**. + ``` +## Generate a Server Certificate +This procedure assumes that your registry's hostname is `yourdomain.com`, and that its DNS record points to the host on which you are running Harbor. The certificate usually contains a `.crt` file and a `.key` file, for example, **yourdomain.com.crt** and **yourdomain.com.key**. **1) Create your own Private Key:** diff --git a/docs/harbor-doc-reorg/install_config/installation/download_installer.md b/docs/harbor-doc-reorg/install_config/installation/download_installer.md index 379ab4e2e..b6647df3e 100644 --- a/docs/harbor-doc-reorg/install_config/installation/download_installer.md +++ b/docs/harbor-doc-reorg/install_config/installation/download_installer.md @@ -2,13 +2,13 @@ ---------- -# Download the Harbor Installer: +# Download the Harbor Installer -You download the installers from the **[official releases](https://github.com/goharbor/harbor/releases)** page. Choose either the online or the offline installer. +You download the Harbor installers from the [official releases](https://github.com/goharbor/harbor/releases) page. Download either the online installer or the offline installer. - **Online installer:** The online installer downloads the Harbor images from Docker hub. For this reason, the installer is very small in size. -- **Offline installer:** Use the offline installer if the host to which are are deploying Harbor does not have a connection to the Internet. The offline installer contains pre-built images so it is larger than the online installer. +- **Offline installer:** Use the offline installer if the host to which are are deploying Harbor does not have a connection to the Internet. The offline installer contains pre-built images, so it is larger than the online installer. The installation processes are almost the same for both the online and offline installers. @@ -36,7 +36,7 @@ The installation processes are almost the same for both the online and offline i gpg: armor header: Version: GnuPG v1 gpg: assuming signed data in 'harbor-offline-installer-v1.10.0-rc2.tgz' gpg: Signature made Fri, Dec 6, 2019 5:04:17 AM WEST - gpg: using RSA key 644FF454C0B4115C + gpg: using RSA key 644FF454C0B4115C gpg: using pgp trust model gpg: Good signature from "Harbor-sign (The key for signing Harbor build) <jiangd@vmware.com> [unknown] @@ -47,7 +47,8 @@ The installation processes are almost the same for both the online and offline i ## Next Steps -To prepare your Harbor installation, [Configure the Harbor YML File](configure_yml_file.md). +- To use Harbor in a production environment, you must [Configure HTTPS Access to Harbor](configure_https.md). +- To configure your Harbor installation, see [Configure the Harbor YML File](configure_yml_file.md). ---------- diff --git a/docs/harbor-doc-reorg/install_config/installation/installation_prereqs.md b/docs/harbor-doc-reorg/install_config/installation/installation_prereqs.md index 5239e3b8f..fafe01728 100644 --- a/docs/harbor-doc-reorg/install_config/installation/installation_prereqs.md +++ b/docs/harbor-doc-reorg/install_config/installation/installation_prereqs.md @@ -22,8 +22,8 @@ The following table lists the software versions that must be installed on the ta |Software|Version|Description| |---|---|---| -|Docker engine|Version 17.06.0-ce+ or higher|For installation instructions, see [docker engine doc](https://docs.docker.com/engine/installation/)| -|Docker Compose|Version 1.18.0 or higher|For installation instructions, see [docker compose doc](https://docs.docker.com/compose/install/)| +|Docker engine|Version 17.06.0-ce+ or higher|For installation instructions, see [Docker Engine documentation](https://docs.docker.com/engine/installation/)| +|Docker Compose|Version 1.18.0 or higher|For installation instructions, see [Docker Compose documentation](https://docs.docker.com/compose/install/)| |Openssl|Latest is preferred|Used to generate certificate and keys for Harbor| ### Network ports @@ -38,7 +38,7 @@ Harbor requires that the following ports be open on the target host. ## What to Do Next ## -To secure the connections the Harbor, you must [Configure HTTPS Access to Harbor](configure_https.md). +[Download the Harbor Installer](download_installer.md). ----------