This blog post guides you through replacing the certificate for your Harbor registry deployed on a Tanzu Kubernetes Grid (TKG) cluster using Helm charts. We’ll assume you’re using VCD version 10.5.1 and Container Service Extension (CSE) version 4.2.
Understanding the Need for Certificate Replacement
Harbor certificates, like any security certificate, may need to be replaced due to expiration, security upgrades, or changes in your PKI infrastructure. This process ensures secure communication within your container registry.
Prerequisites
- Access to your TKG cluster and kubectl CLI.
- New certificate and key files (
harbor-v2.crt
andharbor-v2.key
).
Steps:
- Create a New Secret:
- We’ll store the new certificate and key in a Kubernetes secret for secure management. Use the
kubectl create secret tls
command to create a secret namedharbor-secret-v2
:
kubectl create secret tls harbor-secret-v2 --cert=harbor-v2.crt --key=harbor-v2.key --namespace=harbor-system
Replace harbor-v2.crt
and harbor-v2.key
with the actual filenames of your certificate and key files.
- Update the values.yaml file:
- The
values.yaml
file defines various configurations for your Harbor deployment. Locate this file from your initial Harbor deployment process. - Edit the
values.yaml
file to point to the newly created secret. Look for thecertSource
section and update it to use secrets:
certSource: secret
secret:
secretName: "harbor-secret-v2"
This configures Harbor to use the certificate and key stored in the harbor-secret-v2
secret.
- Upgrade Harbor with the New Configuration:
- Deploy the updated configuration with the new certificate using the
helm upgrade
command:
helm upgrade harbor harbor -n harbor-system -f ./values.yaml
This command upgrades the harbor
deployment in the harbor-system
namespace using the configuration specified in the updated values.yaml
file.
Conclusion
By following these steps, you’ve successfully replaced the certificate for your Harbor registry deployed on your TKG cluster. Remember to update your Harbor clients or local configurations to reflect the new certificate details for continued secure communication.