Embedded Harbor login fails when using CA signed trusted certificates
Article ID: 336080
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
In a vSphere with Tanzu vCenter Server 7.0 environment, you experience these symptoms:
In a vSphere with Tanzu vCenter Server 7.0 environment, you experience these symptoms:
- Login to Harbor registry fails with error message similar to:
x509: cannot validate certificate for 172.1X.XX.X because it doesn't contain any IP SANs
- The vSphere Supervisor cluster is configured with trusted CA signed certificate for its VIP
- Harbor status is healthy and all Harbor pods are running successfully, but login to Harbor UI or using the docker-vsphere-credential-helper fails
Environment
VMware vCenter Server 7.0.x
Resolution
There is no resolution for this issue at this time. See the workaround section below.
Workaround:
Harbor configuration needs to be manually updated to use the FQDN of the Supervisor Cluster instead of the VIP.
The steps to manually update the FQDN of the Supervisor cluster are:
Workaround:
Harbor configuration needs to be manually updated to use the FQDN of the Supervisor Cluster instead of the VIP.
The steps to manually update the FQDN of the Supervisor cluster are:
- Retrieve the Harbor administrator credentials
- Login to the Supervisor Cluster Control Plane VM using root credentials.
- Locate the registry controller namespace, in the format:
vmware-system-registry-xxx
- Obtain the credentials from the secret `harbor-xxx-controller-registry` using the below command:
kubectl -n vmware-system-registry-XXXX get secret harbor-XXXX-controller-registry -o yaml
An example output:
[email protected] [ ~ ]# kubectl -n vmware-system-registry-XXXX get secret harbor-XXXX-controller-registry -o yaml
apiVersion: v1
data:
harborAdminPassword: SVRRe...QT09
harborAdminUsername: WVd...ND0=
harborPostgresPassword: WW1kUGV...EOTFaZz09
kind: Secret
[email protected] [ ~ ]# echo "$harborAdminUsername" | base64 -d | base64 -d
adminxyz
[email protected] [ ~ ]# echo "$harborAdminPassword" | base64 -d | base64 -d
adminpassword
An example output:
[email protected] [ ~ ]# kubectl -n vmware-system-registry-XXXX get secret harbor-XXXX-controller-registry -o yaml
apiVersion: v1
data:
harborAdminPassword: SVRRe...QT09
harborAdminUsername: WVd...ND0=
harborPostgresPassword: WW1kUGV...EOTFaZz09
kind: Secret
[email protected] [ ~ ]# echo "$harborAdminUsername" | base64 -d | base64 -d
adminxyz
[email protected] [ ~ ]# echo "$harborAdminPassword" | base64 -d | base64 -d
adminpassword
- Update Harbor configuration using its config API
- Obtain the Harbor IP address from the vCenter Server UI (Supervisor Cluster > Configure > Image Registry).
- From a location reachable by Harbor, use the Harbor configuration API to update the below configs by replacing the Supervisor Cluster VIP with its DNS name.
Config Values:
http_authproxy_endpoint
http_authproxy_tokenreview_endpoint
http_authproxy_tokenreview_endpoint
Sample:
curl -H "Content-Type:application/json" -X PUT -u <harbor_admin_username>:'<harbor_admin_password>' -kv https://<harbor_ip>/api/configurations -d '{"http_authproxy_endpoint":"https://<Supervisor_Cluster_DNS_name>/wcp/login", "http_authproxy_tokenreview_endpoint":"https://<Supervisor_Cluster_DNS_name>/wcp/tokenreview"}'
- Confirm Harbor configurations updated successfully using this command:
curl -H "Content-Type:application/json" -X GET -u <harbor_admin_username>:'<harbor_admin_password>' -kv https://<harbor_ip>/api/configurations
- Login from Harbor UI and docker-vsphere-credential-helper is now successful, and push and pull images from Harbor succeed.
Feedback
Yes
No
Powered by
