Harbor Deprecates Notary v1 Support in v2.9.0
search cancel

Harbor Deprecates Notary v1 Support in v2.9.0

book

Article ID: 374492

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

Helm chart was signed and pushed to Harbor using PGP (helm package --sign) in Harbor 2.9+ but the UI in Harbor shows not signed:

You find the below error when running commands like kubectl describe deployment <xxxxxxxx-xxxxxx> if upgrade is attempted and fails.  

8:37:04PM: Template failed
     | ytt: Error:
     | - library.eval: Evaluating library 'bundle/config': Overlaying data values (in following order: _ytt_lib/bundle/config/globals.yaml, _ytt_lib/bundle/config/values.yaml, additional data values): Document on line ?: Map item (key 'notary') on line ?: Expected number of matched nodes to be 1, but was 0

Environment

  • Harbor 2.9+
  • VMware Tanzu Kubernetes Grid Integrated Edition

Cause

helm package --sign command uses PGP to sign the helm chart and it is not supported in Harbor 2.9+

Resolution

Migrate to using cosign or notation or both starting in Harbor 2.9+

If image signing is not needed, the notary key / value can be removed or commented out of the harbor-values-file.yaml.

Powered by Wolken Software