Harbor ingress and Notary ingress share the same TLS secret name

[tomalexander]

Steps to reproduce:

1. git clone this repo

$ helm template harbor . --dry-run | grep -A 1 "tls:"  
tls:
  - secretName: harbor-ingress
--
  tls:
  - secretName: harbor-ingress

Impact: Whichever ingress writes to that secret first wins, so right now my harbor.my.domain is serving a certificate for notary.harbor.my.domain

[tomalexander]

Looks like this bug was introduced in https://github.com/goharbor/harbor-helm/commit/c34ab1d336d3f5ff7edb51068381a0be63d2c8ad which means its been in every release of harbor-helm since 1.4.0

[ywk253100]

The Harbor chart generates a certificate containing hostnames both for core and notary by default. I don't understand why the ingress writes to the secret? Are you using the default configuration?

[jfmeachum]

@tomalexander I was able to fix this on my cluster that uses ingress-nginx and cert-manager.

It looks like Harbor tries to automatically create certificates by default, which were in conflict with ones that cert-manager was intended to provision. Changing expose.tls.certSource to equal "secret" and then specifying expose.tls.secret.secretName and expose.tls.secret.notarySecretName resolved this issue for me.

expose:
  type: ingress
  tls:
    certSource: "secret"
    enabled: true
    secret:
      secretName: "harbor-core-ingress-tls"
      notarySecretName: "harbor-notary-ingress-tls"

[github-actions[bot]]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.