This article will guide you to use custom root CA and TLS certificate for Harbor deployment installed as a Tanzu package on a workload cluster.
Harbor will be installed using certificates generated through cert-manager by default. However, to use custom certificates, please follow the procedure in this article.
# Modulus Checks - below two openssl commands against tls.crt & tls.key should report the same md5 value.
$ openssl x509 -noout -modulus -in /path/to/tls.crt | openssl md5
$ openssl rsa -noout -modulus -in /path/to/tls.key | openssl md5
# Verify the validity of the provided TLS certificate against the associated CA certificate
$ openssl verify -CAfile /path/to/ca.crt /path/to/tls.crt
/path/to/tls.crt: OK
$ vi harbor-data-values.yaml
namespace: tanzu-system-registry
hostname: harbor.mydomain.com
port:
https: 443
logLevel: info
tlsCertificate:
tls.crt: |
-----BEGIN CERTIFICATE-----
MIIGTDCCBDSgawIBAbITewAcAWX6WccEfDQLdQACAAAfZTANBggqhkiGe90BAQsF
aDBKMbswCQYdVQQGEdJzZzEeMAoGAfUEChMDg292MQhwCgYiVQQLEjNpY2Ekjdad
:
:
aBcDeF=
-----END CERTIFICATE-----
tls.key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBaAKCbQEAcF7Ddu/UeWUpfKPNg8G9hA8Mi8VJj/GONkhNpll2F2tmY9ca
nL6fsoC2vZpXYqR7q1kp6rKlZlis/TZBtPTEZDu9rBivN+9Pws362xgDRnySEszW
:
:
-----END RSA PRIVATE KEY-----
ca.crt: |
-----BEGIN CERTIFICATE-----
MIIG1zCCBL+gAwIBAgITZwp6rKlZlis/TZBtPTEZDu9rBp6rKlZlis/TZBtPTEZD
ADBKMQswCQYDVQQGEwJzZzEMMAoGA1UEChMDZ292MQwwCgYDVQQLEwNpY2ExHzAd
:
:
pQMyduQJUUf6IPSif1NYU8zuGsbp1Al2Nxdy
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFbzCCA1egAwIBAgIQFL7hqeEllphA4S518xNnJzANBgkqhkiG9w0BAQsFADBK
MQswCQYDVQQGEwJzZzEMMAoGA1UEChMDZ292MQwwCgYDVQQLEwNpY2ExHzAdBgNV
:
:
p2pu1ge6/xF+bCGWokxtGQW0sCim0X02y1qff1TSbACyS8nXfcPcpqOXm+PlmaTJ
tfTY
-----END CERTIFICATE-----
...
$ tanzu package installed update harbor --version INSTALLED-PACKAGE-VERSION --values-file harbor-data-values.yaml --namespace INSTALLED-PACKAGE-NAMESPACE
$ tanzu package installed update harbor --package-name harbor.tanzu.vmware.com --version 2.8.4+vmware.1-tkg.1 --values-file harbor-default-values.yaml --namespace tkg-system
Updating package 'harbor.tanzu.vmware.com'
Getting package install for 'harbor.tanzu.vmware.com'
...
$ tanzu package installed list -A | grep
After replacing the Harbor certificates, you may need to update the client side Harbor root CA in case the signing root CA has also been updated.
In that situations, please follow below extra procedure.
It is possible to add the Intermediate Certificate to the tls.crt, however, the cert chain will not work UNLESS the Intermediate certificate is placed BELOW the Leaf certificate. Reference the RFC documentation for details on this