Updating the Harbor Certificate on Your TKG Cluster (vCD 10.5.1, CSE 4.2)

This blog post guides you through replacing the certificate for your Harbor registry deployed on a Tanzu Kubernetes Grid (TKG) cluster using Helm charts. We’ll assume you’re using VCD version 10.5.1 and Container Service Extension (CSE) version 4.2.

Understanding the Need for Certificate Replacement

Harbor certificates, like any security certificate, may need to be replaced due to expiration, security upgrades, or changes in your PKI infrastructure. This process ensures secure communication within your container registry.


  • Access to your TKG cluster and kubectl CLI.
  • New certificate and key files (harbor-v2.crt and harbor-v2.key).


  1. Create a New Secret:
  • We’ll store the new certificate and key in a Kubernetes secret for secure management. Use the kubectl create secret tls command to create a secret named harbor-secret-v2:
   kubectl create secret tls harbor-secret-v2 --cert=harbor-v2.crt --key=harbor-v2.key --namespace=harbor-system

Replace harbor-v2.crt and harbor-v2.key with the actual filenames of your certificate and key files.

  1. Update the values.yaml file:
  • The values.yaml file defines various configurations for your Harbor deployment. Locate this file from your initial Harbor deployment process.
  • Edit the values.yaml file to point to the newly created secret. Look for the certSource section and update it to use secrets:
   certSource: secret
     secretName: "harbor-secret-v2"

This configures Harbor to use the certificate and key stored in the harbor-secret-v2 secret.

  1. Upgrade Harbor with the New Configuration:
  • Deploy the updated configuration with the new certificate using the helm upgrade command:
   helm upgrade harbor harbor -n harbor-system -f ./values.yaml

This command upgrades the harbor deployment in the harbor-system namespace using the configuration specified in the updated values.yaml file.


By following these steps, you’ve successfully replaced the certificate for your Harbor registry deployed on your TKG cluster. Remember to update your Harbor clients or local configurations to reflect the new certificate details for continued secure communication.