Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2024-10-31 23:59:32 +01:00
Code Issues Projects Releases Wiki Activity

Rewrites

Browse Source
This commit is contained in:
Stuart Clements 2019-12-18 10:34:58 +01:00
parent 2dc4fb5fb0
commit d1fae0005d
3 changed files with 27 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
docs/harbor-doc-reorg/install_config/installation/configure_https.md
View File

@ -6,27 +6,33 @@
By default, Harbor does not ship with certificates. It is possible to deploy Harbor without security, so that you can connect to it over HTTP. However, using HTTP is acceptable only in air-gapped test or development environments that do not have a connection to the external internet. Using HTTP in environments that are not air-gapped exposes you to man-in-the-middle attacks. In production environments, always use HTTPS. If you enable Content Trust with Notary to properly sign all images, you must use HTTPS. By default, Harbor does not ship with certificates. It is possible to deploy Harbor without security, so that you can connect to it over HTTP. However, using HTTP is acceptable only in air-gapped test or development environments that do not have a connection to the external internet. Using HTTP in environments that are not air-gapped exposes you to man-in-the-middle attacks. In production environments, always use HTTPS. If you enable Content Trust with Notary to properly sign all images, you must use HTTPS.
To configure HTTPS, you must create SSL certificates. You can use certificates that are signed by a trusted third-party CA, or you can use self-signed certificates. This section describes how to use OpenSSL to create a CA, and how to use your CA to sign a server certificate and a client certificate. To configure HTTPS, you must create SSL certificates. You can use certificates that are signed by a trusted third-party CA, or you can use self-signed certificates. This section describes how to use [OpenSSL](https://www.openssl.org/) to create a CA, and how to use your CA to sign a server certificate and a client certificate. You can use other CA providers, for example [Let's Encrypt](https://letsencrypt.org/).
Harbor uses an `nginx` instance as a reverse proxy for all services. You use the `prepare` script to configure `nginx` to enable HTTPS. Harbor uses an `nginx` instance as a reverse proxy for all services. You use the `prepare` script to configure `nginx` to enable HTTPS.
## Getting Certificate Authority ## Generate a Certificate Authority Certificate
``` To generate a CA certficate, run the following commands. In a production environment, you first should obtain a certificate from a CA. In a test or development environment, you can generate your own CA.
1. Generate a CA certificate private key.
```
openssl genrsa -out ca.key 4096 openssl genrsa -out ca.key 4096
``` ```
``` 1. Generate the CA certificate.
Adapt the values in the `-subj` option to reflect your organization.
```
openssl req -x509 -new -nodes -sha512 -days 3650 \ openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \ -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
-key ca.key \ -key ca.key \
-out ca.crt -out ca.crt
``` ```
## Getting Server Certificate
Assuming that your registry's **hostname** is **yourdomain.com**, and that its DNS record points to the host where you are running Harbor. In production environment, you first should get a certificate from a CA. In a test or development environment, you can use your own CA. The certificate usually contains a .crt file and a .key file, for example, **yourdomain.com.crt** and **yourdomain.com.key**.
## Generate a Server Certificate
This procedure assumes that your registry's hostname is `yourdomain.com`, and that its DNS record points to the host on which you are running Harbor. The certificate usually contains a `.crt` file and a `.key` file, for example, **yourdomain.com.crt** and **yourdomain.com.key**.
**1) Create your own Private Key:** **1) Create your own Private Key:**

9
docs/harbor-doc-reorg/install_config/installation/download_installer.md
View File

@ -2,13 +2,13 @@
---------- ----------
# Download the Harbor Installer: # Download the Harbor Installer
You download the installers from the **[official releases](https://github.com/goharbor/harbor/releases)** page. Choose either the online or the offline installer. You download the Harbor installers from the [official releases](https://github.com/goharbor/harbor/releases) page. Download either the online installer or the offline installer.
- **Online installer:** The online installer downloads the Harbor images from Docker hub. For this reason, the installer is very small in size. - **Online installer:** The online installer downloads the Harbor images from Docker hub. For this reason, the installer is very small in size.
- **Offline installer:** Use the offline installer if the host to which are are deploying Harbor does not have a connection to the Internet. The offline installer contains pre-built images so it is larger than the online installer. - **Offline installer:** Use the offline installer if the host to which are are deploying Harbor does not have a connection to the Internet. The offline installer contains pre-built images, so it is larger than the online installer.
The installation processes are almost the same for both the online and offline installers. The installation processes are almost the same for both the online and offline installers.
@ -47,7 +47,8 @@ The installation processes are almost the same for both the online and offline i
## Next Steps ## Next Steps
To prepare your Harbor installation, [Configure the Harbor YML File](configure_yml_file.md). - To use Harbor in a production environment, you must [Configure HTTPS Access to Harbor](configure_https.md).
- To configure your Harbor installation, see [Configure the Harbor YML File](configure_yml_file.md).
---------- ----------

6
docs/harbor-doc-reorg/install_config/installation/installation_prereqs.md
View File

@ -22,8 +22,8 @@ The following table lists the software versions that must be installed on the ta
|Software|Version|Description| |Software|Version|Description|
|---|---|---| |---|---|---|
|Docker engine|Version 17.06.0-ce+ or higher|For installation instructions, see [docker engine doc](https://docs.docker.com/engine/installation/)| |Docker engine|Version 17.06.0-ce+ or higher|For installation instructions, see [Docker Engine documentation](https://docs.docker.com/engine/installation/)|
|Docker Compose|Version 1.18.0 or higher|For installation instructions, see [docker compose doc](https://docs.docker.com/compose/install/)| |Docker Compose|Version 1.18.0 or higher|For installation instructions, see [Docker Compose documentation](https://docs.docker.com/compose/install/)|
|Openssl|Latest is preferred|Used to generate certificate and keys for Harbor| |Openssl|Latest is preferred|Used to generate certificate and keys for Harbor|
### Network ports ### Network ports
@ -38,7 +38,7 @@ Harbor requires that the following ports be open on the target host.
## What to Do Next ## ## What to Do Next ##
To secure the connections the Harbor, you must [Configure HTTPS Access to Harbor](configure_https.md). [Download the Harbor Installer](download_installer.md).
---------- ----------