Rotate CA and Server certificate of Harbor deployed via TKGM package
search cancel

Rotate CA and Server certificate of Harbor deployed via TKGM package

book

Article ID: 385149

calendar_today

Updated On:

Products

Tanzu Kubernetes Runtime Tanzu Kubernetes Grid VMware Tanzu Kubernetes Grid VMware Tanzu Kubernetes Grid 1.x VMware Tanzu Kubernetes Grid Management VMware Tanzu Kubernetes Grid Plus 1.x

Issue/Introduction

This process walks through how server certificate of Harbor can be rotated when Harbor is deployed using TKGM packages. While rotating these certificates following points are important to note.

  • If the CA certificate is rotated, make sure that the updated CA is pushed to clients, such as TKG Cluster, to make sure connection remains uninterrupted with Harbor
  • If only the server certificates are rotated and CA remains unchanged no changes are needed on the client side.

Resolution

Before proceeding with the steps please make sure to verify the details like namespace, package name, package version, secret name etc matches your environment and update them accordingly.

Get the current certificate details

  • Save this output to compare with the certificate output later
namespace="tanzu-system-registry"
secret='harbor-tls'
encoded_cert=$(kubectl get secret $secret -n $namespace -o jsonpath='{.data.tls\.crt}')
decoded_cert=$(echo "$encoded_cert" | base64 -d | openssl x509 -noout -dates -serial -issuer -subject -ext subjectAltName)
echo "$decoded_cert" > before-harbor-server-cert-rotate.out

 

Get the latest package configuration

tanzu package installed get harbor \
--namespace tanzu-system-registry \
--values-file-output values.yml

 

Apply new certificate

  • To rotate the harbor server certificate update tlsCertificate.tls.crt and tlsCertificate.tls.key in values.yaml extracted in the previous step.
tanzu package installed update harbor \
--version 2.8.4+vmware.1-tkg.1 \
--values-file values.yml \
--namespace tanzu-system-registry
  • When applying the new certificate during harbor package update in messages harbor-tls update will be displayed. Example output
12:22:53PM: Deploy started
12:22:54PM: Deploying
	    | Target cluster 'https://100.64.0.1:443' (nodes: wld-kubevip-controlplane-c4dzk-tx87n, 4+)
	    | Changes
	    | Namespace              Name        Kind    Age  Op      Op st.  Wait to    Rs  Ri
	    | tanzu-system-registry  harbor-tls  Secret  1h   update  -       reconcile  ok  -
	    | Op:      0 create, 0 delete, 1 update, 0 noop, 0 exists
	    | Wait to: 1 reconcile, 0 delete, 0 noop
	    | 12:22:54PM: ---- applying 1 changes [0/1 done] ----
	    | **12:22:54PM: update secret/harbor-tls (v1) namespace: tanzu-system-registry**
	    | 12:22:54PM: ---- waiting on 1 changes [0/1 done] ----
	    | 12:22:54PM: ok: reconcile secret/harbor-tls (v1) namespace: tanzu-system-registry
	    | 12:22:54PM: ---- applying complete [1/1 done] ----
	    | 12:22:54PM: ---- waiting complete [1/1 done] ----
	    | Succeeded
12:22:54PM: Deploy succeeded

 

Verify the server certificate

  • The rotated certificate should be reflected in the secret now
namespace="tanzu-system-registry"
secret='harbor-tls'
encoded_cert=$(kubectl get secret $secret -n $namespace -o jsonpath='{.data.tls\.crt}')
decoded_cert=$(echo "$encoded_cert" | base64 -d | openssl x509 -noout -dates -serial -issuer -subject -ext subjectAltName)
echo "$decoded_cert" > after-harbor-server-cert-rotate.out
Powered by Wolken Software