Harbor Configure HTTPS

Generate a Certificate Authority Certificate

In a production environment, you should obtain a certificate from a CA. In a test or development environment, you can generate your own CA. To generate a CA certficate, run the following commands.

  1. Generate a CA certificate private key.

    openssl genrsa -out ca.key 4096
    
    
  2. Generate the CA certificate.

    Adapt the values in the -subj option to reflect your organization. If you use an FQDN to connect your Harbor host, you must specify it as the common name (CN) attribute.

    openssl req -x509 -new -nodes -sha512 -days 3650 \
     -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
     -key ca.key \
     -out ca.crt
    
    

Generate a Server Certificate

The certificate usually contains a .crt file and a .key file, for example, yourdomain.com.crt and yourdomain.com.key.

  1. Generate a private key.

    openssl genrsa -out yourdomain.com.key 4096
    
    
  2. Generate a certificate signing request (CSR).

    Adapt the values in the -subj option to reflect your organization. If you use an FQDN to connect your Harbor host, you must specify it as the common name (CN) attribute and use it in the key and CSR filenames.

    openssl req -sha512 -new \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
        -key yourdomain.com.key \
        -out yourdomain.com.csr
    
    
  3. Generate an x509 v3 extension file.

    Regardless of whether you’re using either an FQDN or an IP address to connect to your Harbor host, you must create this file so that you can generate a certificate for your Harbor host that complies with the Subject Alternative Name (SAN) and x509 v3 extension requirements. Replace the DNS entries to reflect your domain.

    cat > v3.ext <<-EOF
    authorityKeyIdentifier=keyid,issuer
    basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1=yourdomain.com
    DNS.2=yourdomain
    DNS.3=hostname
    EOF
    
    
  4. Use the v3.ext file to generate a certificate for your Harbor host.

    Replace the yourdomain.com in the CRS and CRT file names with the Harbor host name.

    openssl x509 -req -sha512 -days 3650 \
        -extfile v3.ext \
        -CA ca.crt -CAkey ca.key -CAcreateserial \
        -in yourdomain.com.csr \
        -out yourdomain.com.crt
    
    

Provide the Certificates to Harbor and Docker

After generating the ca.crt, yourdomain.com.crt, and yourdomain.com.key files, you must provide them to Harbor and to Docker, and reconfigure Harbor to use them.

  1. Copy the server certificate and key into the certficates folder on your Harbor host.

    cp yourdomain.com.crt /data/cert/
    cp yourdomain.com.key /data/cert/
    
    
  2. Convert yourdomain.com.crt to yourdomain.com.cert, for use by Docker.

    The Docker daemon interprets .crt files as CA certificates and .cert files as client certificates.

    openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
    
    
  3. Copy the server certificate, key and CA files into the Docker certificates folder on the Harbor host. You must create the appropriate folders first.

    cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
    cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
    cp ca.crt /etc/docker/certs.d/yourdomain.com/
    
    

    If you mapped the default nginx port 443 to a different port, create the folder /etc/docker/certs.d/yourdomain.com:port, or /etc/docker/certs.d/harbor_IP:port.

  4. Restart Docker Engine.

    systemctl restart docker
    
    

You might also need to trust the certificate at the OS level. See Troubleshooting Harbor Installation for more information.

The following example illustrates a configuration that uses custom certificates.

/etc/docker/certs.d/
    └── yourdomain.com:port
       ├── yourdomain.com.cert  <-- Server certificate signed by CA
       ├── yourdomain.com.key   <-- Server key signed by CA
       └── ca.crt               <-- Certificate authority that signed the registry certificate

Deploy or Reconfigure Harbor

If you have not yet deployed Harbor, see Configure the Harbor YML File for information about how to configure Harbor to use the certificates by specifying the hostname and https attributes in harbor.yml.

If you already deployed Harbor with HTTP and want to reconfigure it to use HTTPS, perform the following steps.

  1. Run the prepare script to enable HTTPS.

    Harbor uses an nginx instance as a reverse proxy for all services. You use the prepare script to configure nginx to use HTTPS. The prepare is in the Harbor installer bundle, at the same level as the install.sh script.

    ./prepare
    
    
  2. If Harbor is running, stop and remove the existing instance.

    Your image data remains in the file system, so no data is lost.

    docker-compose down -v
    
    
  3. Restart Harbor:

    docker-compose up -d
    
    

Verify the HTTPS Connection

After setting up HTTPS for Harbor, you can verify the HTTPS connection by performing the following steps.

  • Open a browser and enter https://yourdomain.com. It should display the Harbor interface.

    Some browsers might show a warning stating that the Certificate Authority (CA) is unknown. This happens when using a self-signed CA that is not from a trusted third-party CA. You can import the CA to the browser to remove the warning.

  • On a machine that runs the Docker daemon, check the /etc/docker/daemon.json file to make sure that the -insecure-registry option is not set for https://yourdomain.com.

  • Log into Harbor from the Docker client.

    docker login yourdomain.com
    
    

    If you’ve mapped nginx 443 port to a different port,add the port in the login command.

    docker login yourdomain.com:port
    
    

What to Do Next

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
  • 序言:七十年代末坚芜,一起剝皮案震驚了整個濱河市惰匙,隨后出現(xiàn)的幾起案子兼耀,更是在濱河造成了極大的恐慌汇恤,老刑警劉巖,帶你破解...
    沈念sama閱讀 222,464評論 6 517
  • 序言:濱河連續(xù)發(fā)生了三起死亡事件夕吻,死亡現(xiàn)場離奇詭異枷踏,居然都是意外死亡,警方通過查閱死者的電腦和手機状囱,發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 95,033評論 3 399
  • 文/潘曉璐 我一進店門术裸,熙熙樓的掌柜王于貴愁眉苦臉地迎上來,“玉大人亭枷,你說我怎么就攤上這事袭艺。” “怎么了叨粘?”我有些...
    開封第一講書人閱讀 169,078評論 0 362
  • 文/不壞的土叔 我叫張陵猾编,是天一觀的道長。 經(jīng)常有香客問我升敲,道長答倡,這世上最難降的妖魔是什么? 我笑而不...
    開封第一講書人閱讀 59,979評論 1 299
  • 正文 為了忘掉前任驴党,我火速辦了婚禮瘪撇,結(jié)果婚禮上,老公的妹妹穿的比我還像新娘港庄。我一直安慰自己倔既,他們只是感情好,可當(dāng)我...
    茶點故事閱讀 69,001評論 6 398
  • 文/花漫 我一把揭開白布鹏氧。 她就那樣靜靜地躺著叉存,像睡著了一般。 火紅的嫁衣襯著肌膚如雪度帮。 梳的紋絲不亂的頭發(fā)上歼捏,一...
    開封第一講書人閱讀 52,584評論 1 312
  • 那天稿存,我揣著相機與錄音,去河邊找鬼瞳秽。 笑死瓣履,一個胖子當(dāng)著我的面吹牛,可吹牛的內(nèi)容都是我干的练俐。 我是一名探鬼主播袖迎,決...
    沈念sama閱讀 41,085評論 3 422
  • 文/蒼蘭香墨 我猛地睜開眼,長吁一口氣:“原來是場噩夢啊……” “哼腺晾!你這毒婦竟也來了燕锥?” 一聲冷哼從身側(cè)響起,我...
    開封第一講書人閱讀 40,023評論 0 277
  • 序言:老撾萬榮一對情侶失蹤悯蝉,失蹤者是張志新(化名)和其女友劉穎归形,沒想到半個月后,有當(dāng)?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體鼻由,經(jīng)...
    沈念sama閱讀 46,555評論 1 319
  • 正文 獨居荒郊野嶺守林人離奇死亡暇榴,尸身上長有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
    茶點故事閱讀 38,626評論 3 342
  • 正文 我和宋清朗相戀三年,在試婚紗的時候發(fā)現(xiàn)自己被綠了蕉世。 大學(xué)時的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片蔼紧。...
    茶點故事閱讀 40,769評論 1 353
  • 序言:一個原本活蹦亂跳的男人離奇死亡,死狀恐怖狠轻,靈堂內(nèi)的尸體忽然破棺而出奸例,到底是詐尸還是另有隱情,我是刑警寧澤向楼,帶...
    沈念sama閱讀 36,439評論 5 351
  • 正文 年R本政府宣布哩至,位于F島的核電站,受9級特大地震影響蜜自,放射性物質(zhì)發(fā)生泄漏菩貌。R本人自食惡果不足惜,卻給世界環(huán)境...
    茶點故事閱讀 42,115評論 3 335
  • 文/蒙蒙 一重荠、第九天 我趴在偏房一處隱蔽的房頂上張望箭阶。 院中可真熱鬧,春花似錦戈鲁、人聲如沸仇参。這莊子的主人今日做“春日...
    開封第一講書人閱讀 32,601評論 0 25
  • 文/蒼蘭香墨 我抬頭看了看天上的太陽诈乒。三九已至,卻和暖如春婆芦,著一層夾襖步出監(jiān)牢的瞬間怕磨,已是汗流浹背喂饥。 一陣腳步聲響...
    開封第一講書人閱讀 33,702評論 1 274
  • 我被黑心中介騙來泰國打工, 沒想到剛下飛機就差點兒被人妖公主榨干…… 1. 我叫王不留肠鲫,地道東北人员帮。 一個月前我還...
    沈念sama閱讀 49,191評論 3 378
  • 正文 我出身青樓,卻偏偏與公主長得像导饲,于是被迫代替她去往敵國和親捞高。 傳聞我的和親對象是個殘疾皇子,可洞房花燭夜當(dāng)晚...
    茶點故事閱讀 45,781評論 2 361

推薦閱讀更多精彩內(nèi)容