Unable to sign images using notary

[ashusarode42]

Hello,
I am running harbor on Kubernetes cluster. Deployed using nodePort service. All pods are up and able to push images in to repository but facing issue while trying to sign images using notary. Checked pods logs in that notary server is running but signer giving tls bad certificates error.

Harbor version: 2.8.0
Helm chart version: harbor-1.12.0

I am using self-signed certificates generated using openssl. Created harbor-tls secret for certificate source
kubectl create secret tls harbor-tls -n harbor --key="core.harbor.domain.key" --cert="core.harbor.domain.crt"
Configured and added core.harbor.domain.cert, core.harbor.domain.key, ca.crt to docker certs.d folder.

Using below values.yaml file for overriding:
expose:
type: nodePort
tls:
# Enable TLS or not.
# Delete the "ssl-redirect" annotations in "expose.ingress.annotations" when TLS is disabled and "expose.type" is "ingress"
# Note: if the "expose.type" is "ingress" and TLS is disabled,
# the port must be included in the command when pulling/pushing images.
# Refer to goharbor/harbor#5291 for details.
enabled: true
# The source of the tls certificate. Set as "auto", "secret"
# or "none" and fill the information in the corresponding section
# 1) auto: generate the tls certificate automatically
# 2) secret: read the tls certificate from the specified secret.
# The tls certificate can be generated manually or by cert manager
# 3) none: configure no tls certificate for the ingress. If the default
# tls certificate is configured in the ingress controller, choose this option
certSource: secret
auto:
# The common name used to generate the certificate, it's necessary
# when the type isn't "ingress"
commonName: ""
secret:
# The name of secret which contains keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
secretName: harbor-tls
# The name of secret which contains keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
# Only needed when the "expose.type" is "ingress".
notarySecretName: ""
nodePort:
# The name of NodePort service
name: harbor
ports:
http:
# The service port Harbor listens on when serving HTTP
port: 80
# The node port Harbor listens on when serving HTTP
nodePort: 30002
https:
# The service port Harbor listens on when serving HTTPS
port: 443
# The node port Harbor listens on when serving HTTPS
nodePort: 30003
# Only needed when notary.enabled is set to true
notary:
# The service port Notary listens on
port: 4443
# The node port Notary listens on
nodePort: 30004
externalURL: https://core..harbor.domain:30003

Trying to sign image by adding content trust and and by generating key as below
Login Succeeded
$ cp ca.crt /etc/docker/certs.d/core.harbor.domain:30003
$ cp ca.crt $HOME/.docker/tls/core.harbor.domain:30004/ca.crt
$ sudo docker trust key generate key
Generating key for key...
Enter passphrase for new key key with ID 9bb549f:
Repeat passphrase for new key key with ID 9bb549f:
Successfully generated and loaded private key. Corresponding public key available: /home/user/key.pub
$ export DOCKER_CONTENT_TRUST=0
$ sudo docker tag busybox core.harbor.domain:30003/demo/busybox:unsigned
$ export DOCKER_CONTENT_TRUST=1
$ export DOCKER_CONTENT_TRUST_SERVER=https://core.harbor.domain:30004/
$ sudo docker trust signer add key core.harbor.domain:30003/demo --key key.pub
Adding signer "key" to core.harbor.domain:30003/demo...
you are not authorized to perform this operation: server returned 401.

Here I have tagged cluster node IP with core.harbor.domain. And it is listing on port 30003. Notary on port 30004.
Expected the images get sign here but is it is unsigned and giving not authorized error. But I have copied all self sign certificate to required locations. Please help with this issue what I am missing here?

[ashusarode42]

Is there any additional configuration has to be done for notary in helm charts?

[zyyw]

Hi @ashusarode42 , thanks for reporting this issue in harbor-helm.
Would you mind formatting the value.yaml content?
By the way, as Notary will be removed from Harbor v2.9.0 and onwards, the support of Notary issue will be limited. Please use cosign to sign images.