harbor
harbor copied to clipboard
goharbor
proposal add Lets Encrypt certificates Manage tools
Let me confirm, you are proposing using letsencrypt in prepare script to replace openssl? Is that correct?
letsencrypt can generate valid cert file. it can easy to development and deployment testing for SSL site. i don't mean replace openssl
hi @reasonerjt i just file a issue to mark the request. let it go. i will handle it again
+1, maybe at least providing a simple tutorial of how to setup letsencrypt (certbot) with the nginx conf for Harbor.
I'm trying to follow https://github.com/vmware/harbor/blob/master/docs/configure_https.md to set up harbor with letsenrypt, but I can't seem to get anywhere. Just using the default nginx.conf, I'm able to access harbor at http://harbor.mydomain.com, but copying the https version over and configuring it doesn't give me access on http or https.
I'm assuming that the ssl_certificate is fullcert.pem and that ssl_certificate_key is privkey.pem.
Anybody have success and can share how to properly configure harbor with letsenrypt?
I managed to do this with certbot-external-auth. I added the generated files' path in the config file (see below), then ran prepare and install.sh. prepare takes care of copying the nginx https version.
ssl_cert=/etc/letsencrypt/live/mydomainname/fullchain.pem
sl_cert_key = /etc/letsencrypt/live/mydomainname/privkey.pem
Maybe something like https://github.com/smashwilson/lets-nginx could be built into harbor?
Or this? https://github.com/AnalogJ/letsencrypt-http01-docker-nginx-example
Here is how I did it.
this is what I would do for domain.com:
#1. Add the location for the webroot challenges to the nginx.http(s).conf files in the ./common/templates/nginx/ path of the source #enable lets encrypt challenges location /.well-known/acme-challenge { root /var/www/letsencrypt; }
Additionally you need to set server_name domain.com; in both files so certbot can find that bock for server, I set it right after the listen port
#2. Update the docker-compose.yml file to include a volume for certbot to write its files to for challenge verification. Make sure the path in the container matches the path from the templates location.
volumes: - ./common/config/nginx:/etc/nginx:z - /tmp/proxy/html:/var/www/letsencrypt #3. run sudo ./install
This will build / run harbor
#4. run certbot either in a container or from the host. run with webroot plugin, pass path to the volume we mounted in the nginx proxy for docker compose, pass the domain name from the harbor.cfg file.
sudo certbot certonly --webroot -w /tmp/proxy/html -d domain.com
#5. Update the harbor.cfg with ui_url_protocol = https
#The path of cert and key files for nginx, they are applied only the protocol is set to https ssl_cert = /etc/letsencrypt/live/domain.com/fullchain.pem ssl_cert_key = /etc/letsencrypt/live/domain.com/privkey.pem
#6. we need to restart harbor and regenerate from the templates now, we should have certs.
sudo docker-compose down sudo ./prepare sudo docker-compose up -d
Now you should be able to hit https://domain.com with your letsencrypt cert.
Or you can keep harbor behind a haproxy/envoy/nginx & delegate the responsibility of fresh & renewal request to cert-manager
It already is behind an nginx proxy, why run another one when you already have a container running it?
Multiple reasons (other than obvious answer of not having native support)
- High availability
- DOS mitigation & any additional security you want to provide at the edge layer
When you want to deploy any app in HA configuration via BGB & VIPs, the app need to participate in BGB, which makes it harder to do rolling updates
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
(unstale!)
I actually love the idea of having native Let's Encrypt support, but there's obvious a number of different ways to do this. Perhaps we can discuss in more details (here is fine, though before an implementation is addressed we'd like to have a formal proposal in place).
Anyone in specific want to tackle this problem and contribute the feature? I'm happy to help through the process.
@clouderati
No objection to unstale.
Personally I prefer decouple the management of certificate from the lifecycle of Harbor. Like in https://github.com/goharbor/harbor/issues/584#issuecomment-277693575 user can generate the cert via Lets Encrypt and copy the cert when installing Harbor.
Maybe https://blogs.vmware.com/cloudnative/2019/06/12/demonstrating-certificate-management-by-deploying-harbor-with-an-ssl-endpoint/ would help...
I managed to do this with certbot-external-auth. I added the generated files' path in the config file (see below), then ran
prepareandinstall.sh.preparetakes care of copying the nginx https version.ssl_cert=/etc/letsencrypt/live/mydomainname/fullchain.pem sl_cert_key = /etc/letsencrypt/live/mydomainname/privkey.pem
I was just successful in applying a letsencrypt certificate using this method, only now rather than ssl_cert and sl_cert_key it is in harbor.yaml
https:
certificate: /<path>/fullchain.pem
private_key: /<path>/privkey.pem
followed by ./prepare && ./install.sh
It would be nice to see this mentioned in some guide/docs or so.
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
New link is https://tanzu.vmware.com/content/blog/demonstrating-certificate-management-by-deploying-harbor-with-an-ssl-endpoint
As a temporary solution that would not break in case I run install by mistake I've mixed the harbor.yaml config and the letsencrypt renewal hooks.
I've created the certificate with the standalone module:
sudo certbot certonly --standalone -d registry.domain.tld
I've added a docker-compose.override.yml to prevent the config to be rewritten, it's to prevent a restart during the renewal process:
version: '2.3'
services:
proxy:
restart: unless-stopped
I've added letsencrypt renewal hooks:
sudo vi /etc/letsencrypt/renewal-hooks/pre/harbor.sh
#!/bin/bash
/usr/bin/docker stop nginx
and
sudo vi /etc/letsencrypt/renewal-hooks/post/harbor.sh
#!/bin/bash
cd /MY/PATH/TO/harbor/
./prepare --with-notary --with-trivy --with-chartmuseum
docker-compose up -d
and in the harbor.yml I've configured the certificates with:
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /etc/letsencrypt/live/registry.domain.tld/fullchain.pem
private_key: /etc/letsencrypt/live/registry.domain.tld/privkey.pem
Explaination:
- The docker-compose.override.ini is to not modify the base file that will be erased if you run
./install. - The pre hook is to stop the docker that listen to the ports 80 and 443
- The post hook uses prepare to copy the certificates into the nginx docker.
Not pretty, but I could not use the nginx/conf.d/ files since they are erased by the install/prepare process and could easily break by accident. I hope there'll be a better solution soon.
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.