Configuring Harbor with a Public SSL Certificate

1. Register the Harbor Public SSL Certificate

1. Change the hosts file.

vi /etc/hosts

[IP] Certificate domain
[IP] Certificate domain

2. Locate the harbor docker-compose.yml file.

$ sudo find / -name 'docker-compose.yml'​
cocktail@priv-registry:~$ sudo find / -name 'docker-compose.yml'/var/lib/cubectl/harbor/docker-compose.yml
cocktail@priv-registry:~$

3. Modify the domain of the Harbor certificate.

$ cd /var/lib/cubectl/harbor/common/config/core
$ vi env​

# AS-IS
EXT_ENDPOINT=https://10.1.1.50
​# TO-BE (Connection address, example:)
EXT_ENDPOINT=https://harbor.cocktailcloud.io

4. Verify the location of the Harbor certificate.

# Search in the directory where the previously checked docker-compose.yml is located.
​grep -A 20 'nginx-photon' docker-compose.yml
​# Check the cert directory in the volumes below.
volumes:
    - ./common/config/nginx:/etc/nginx:z
    - /data/harbor/secret/cert:/etc/cert:z
    - type: bind
    source: ./common/config/shared/trust-certificates
    target: /harbor_cust_cert

5. Replace the certificate with the public SSL certificate.

$ cd /app/data/harbor/secret/cert
$ ls -lrt
-rw------- 1 10000 10000 5055 Apr 11 11:10 server.crt
-rw------- 1 10000 10000 1679 Apr 11 11:11 server.key

​# Backup the respective certificates.
$ sudo cp server.crt old_server.crt
$ sudo cp server.key old_server.key​

# Replace the file with the assigned certificate.
#(The permissions of the actual certificate should be set to 10000:10000.)
#(PEM format file for Nginx) -ex) Wildcard.k-paas.io_pem.pem
$ sudo tee /app/data/harbor/secret/cert/server.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIGSDCCBTCgAwIBAgIMD/LYBjs
... (Skip)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIET
... (Skip)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----
EOF

sudo tee /app/data/harbor/secret/cert/server.key  <<EOF 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAI....(Skip)
-----END RSA PRIVATE KEY-----
EOF

6. Confirm that the SSL certificate is correctly configured in Nginx.

$ docker exec -it nginx nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

$ sudo docker exec -it redis redis-cli FLUSHALL
OK

7. Restart Harbor.

# The docker-compose.yml file is written in the path confirmed above.

# Stop Harbor
sudo docker compose -f /var/lib/cubectl/harbor/docker-compose.yml down -v

# Start Harbor
sudo docker compose -f /var/lib/cubectl/harbor/docker-compose.yml up -d
또는 (cube 5.2.5)
sudo systemctl restart cube-harbor

8. Verify the connection.

9. Create a directory with the domain name in the /etc/containerd/certs.d directory on all nodes.

$ cd /etc/containerd/certs.d
$ cp -r 172.25.1.172 pass-regi.cocktailcloud.io

10. In the hosts.toml file of all directories in /etc/containerd/certs.d, change the part with an IP to the domain.

$ cd /etc/containerd/certs.d/docker.io
$ vi hosts.toml

## Before the changes
server = "https://docker.io"

[host."https://172.25.1.172/v2/docker.io/"]
  capabilities = ["pull", "resolve"]
  ca = "/etc/docker/certs.d/172.25.1.172/ca.crt"
  override_path = true
----------------------------------------------------------

## After the changes
server = "https://docker.io"

[host."https://paas-regi.cocktailcloud.io/v2/docker.io/"]
  capabilities = ["pull", "resolve"]
  ca = "/etc/docker/certs.d/paas-regi.cocktailcloud.io/ca.crt"
  override_path = true

11. Copy the directory with the IP in /etc/docker/certs.d to the domain.

$ cd /etc/docker/certs.d
$ cp -r 172.25.1.172 pass-regi.cocktailcloud.io