Rotate CA and Server certificate of Harbor deployed via TKGM package
search cancel

Rotate CA and Server certificate of Harbor deployed via TKGM package

book

Article ID: 385149

calendar_today

Updated On:

Products

Tanzu Kubernetes Runtime Tanzu Kubernetes Grid VMware Tanzu Kubernetes Grid VMware Tanzu Kubernetes Grid 1.x VMware Tanzu Kubernetes Grid Management VMware Tanzu Kubernetes Grid Plus 1.x

Issue/Introduction

  • If the CA certificate is rotated, make sure that the updated CA is pushed to clients, such as TKG Cluster, to make sure connection remains uninterrupted with Harbor
  • If only the server certificates are rotated and the CA remains unchanged, no changes are needed on the client side.
  • Harbor appears to have a new root.ca, and we need the process for how to update that across TKGm 2.5.4 with legacy clusters

Environment

TKGm 2.5.4

Cause

Harbor certificate has expired

Resolution

Before proceeding with the steps, please make sure to verify the details like namespace, package name, package version, secret name, etc., match your environment and update them accordingly.

  1. Get the current certificate details and save this output to compare with the certificate output later
    namespace="tanzu-system-registry" secret='harbor-tls' encoded_cert=$(kubectl get secret $secret -n $namespace -o jsonpath='{.data.tls\.crt}') decoded_cert=$(echo "$encoded_cert" | base64 -d | openssl x509 -noout -dates -serial -issuer -subject -ext subjectAltName) echo "$decoded_cert" > before-harbor-server-cert-rotate.out


  2. Get the latest package configuration
    tanzu package installed get harbor \ --namespace tanzu-system-registry \ --values-file-output values.yml


  3. Apply the new certificate to rotate the Harbor server certificate updatetlsCertificate.tls.crtandtlsCertificate.tls.keyinvalues.yamlextracted in the previous step.
    tanzu package installed update harbor \ --version 2.8.4+vmware.1-tkg.1 \ --values-file values.yml \ --namespace tanzu-system-registry


  4. When applying the new certificate during the harbor package update in messages harbor-tls update will be displayed. Example output

    12:22:53PM: Deploy started 12:22:54PM: Deploying | Target cluster 'https://100.64.0.1:443' (nodes: wld-kubevip-controlplane-c4dzk-tx87n, 4+) | Changes | Namespace Name Kind Age Op Op st. Wait to Rs Ri | tanzu-system-registry harbor-tls Secret 1h update - reconcile ok - | Op: 0 create, 0 delete, 1 update, 0 noop, 0 exists | Wait to: 1 reconcile, 0 delete, 0 noop | 12:22:54PM: ---- applying 1 changes [0/1 done] ---- | **12:22:54PM: update secret/harbor-tls (v1) namespace: tanzu-system-registry** | 12:22:54PM: ---- waiting on 1 changes [0/1 done] ---- | 12:22:54PM: ok: reconcile secret/harbor-tls (v1) namespace: tanzu-system-registry | 12:22:54PM: ---- applying complete [1/1 done] ---- | 12:22:54PM: ---- waiting complete [1/1 done] ---- | Succeeded 12:22:54PM: Deploy succeeded

  5. Verify the rotated certificate should be reflected in the secret now
    namespace="tanzu-system-registry" secret='harbor-tls' encoded_cert=$(kubectl get secret $secret -n $namespace -o jsonpath='{.data.tls\.crt}') decoded_cert=$(echo "$encoded_cert" | base64 -d | openssl x509 -noout -dates -serial -issuer -subject -ext subjectAltName) echo "$decoded_cert" > after-harbor-server-cert-rotate.out
Powered by Wolken Software