Deploying Harbor in Production📜
Harbor requires a redis endpoint filled in under
redis.external.addr. In order to use a fully extensible BigBang and Registry1 owned Redis installation
redis-bb.enabled is set to true by default to deploy a 1 master 3 replica redis cluster.
If you wish to utilize a cloud elasticache endpoint, disable
redis-bb.enabled and set your endpoint in
RSA Certificate for Token Signatures📜
Harbor requires an RSA key/certificate pair be generated and supplied as a secret to the Harbor core and exporter components. This RSA keypair is used to sign JWTs retrieved from the Harbor API at the
/service/token endpoint. Therefore, it is critical to keep the RSA key used to sign these tokens confidential.
# Generate the RSA key with length 4096 openssl genrsa -out secret.key 4096 # Generate the configuration used when generating the certificate # Replace with configuration appropriate for your organization cat <<EOF> conf [req] distinguished_name=dn [ dn ] [ ext ] basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer EOF # Generate the certificate from the private key and configuration # Replace with configuration appropriate for your organization openssl req \ -key secret.key \ -config conf \ -nodes \ -new \ -subj "/" -x509 -days 365 -extensions ext -out cert.crt
Usage with chart📜
You may use these certificates with this helm chart in one of two ways:
- You can populate the
core.tokenCertificatefields with the content of the files created above
- You can create a secret yourself independently of the chart and reference it with