Client Cert Authentication for External Postgres

[mmurtha]

Please add support for configuring client certificate authentication when connecting to an external PostgreSQL database. This would involve specifying paths for the following files in the Helm chart values (Values.database.external) and the corresponding configuration in the chart:

sslcert (Client certificate)
sslkey (Client key)
sslrootcert (CA certificate)

I have found one user-submitted PR for this functionality but it does not appear to have been implemented:
damyan#1

Thank you

[Med-hedi-bra]

I think this is a very valuable contribution.

I have installed Harbor using Helm and am trying to connect the Harbor core to an external database with SSL communication enabled using the following configuration:

database:
  type: external
  external:
    sslmode: verify-full

However, I encountered the following error:

failed to initialize database: Register db Ping `default`, failed to connect to `host=223.144.17.83 user=harbor database=harbor`: failed to write startup message (tls: failed to verify certificate: x509: certificate is valid for 51.15.200.157, 51.50.24.161, 51.151.24.161, not 195.154.197.18

This behavior is expected because the certificate is not mounted inside the filesystem of the Harbor components.

I believe this is a critical issue, as SSL communication is essential. We should provide a way to mount the certificate within the Harbor components to enable proper SSL communication with external databases.

[mmurtha]

I think this is a very valuable contribution.

I have installed Harbor using Helm and am trying to connect the Harbor core to an external database with SSL communication enabled using the following configuration:

database:
  type: external
  external:
    sslmode: verify-full

However, I encountered the following error:

failed to initialize database: Register db Ping `default`, failed to connect to `host=223.144.17.83 user=harbor database=harbor`: failed to write startup message (tls: failed to verify certificate: x509: certificate is valid for 51.15.200.157, 51.50.24.161, 51.151.24.161, not 195.154.197.18

This behavior is expected because the certificate is not mounted inside the filesystem of the Harbor components.

I believe this is a critical issue, as SSL communication is essential. We should provide a way to mount the certificate within the Harbor components to enable proper SSL communication with external databases.

I have SSL verification working on the connection to the database. The issue I have is I have to use username/password rather than client cert authentication.

Your error may be due to your certificate. Perhaps an SNI error

[jdblack]

I think this is a very valuable contribution.

I have installed Harbor using Helm and am trying to connect the Harbor core to an external database with SSL communication enabled using the following configuration:

So, I was able to get harbor to talk https to my oidc server (a similar problem to yours) by providing the CA cert via a k8s server and passing it via helm with caBundleSecretName . I believe the same solution will work for you!

The steps are as follows,:

1. Get the ca.crt for your local CA. If you are using certman and clusterissuer like me, there will be a k8s secret named after the ca in certman's namespace. The cert will be in the secret under data.tls.crt.
2. Place that tls.crt into the a secret in harbor's namespace, with a name of anything_you_like.crt
3. provide helm with the secret by passing caBundleSecretName

# My opentofu (e.g. terraform) configuration: 

variable namespace {  }
variable name      { default     = "harbor" }
variable domain    { type = string }
variable certca    { type = string }
variable auth_secret { }
variable ssl_ca {}
variable ssl_ca_namespace {}
variable oidc_id  { default = "harbor" }
variable keycloak_endpoint {}

locals {
  fqdn = "${var.name}.${var.domain}"
  url = "https://${local.fqdn}"
  oidc_callback = "${local.url}/c/oidc/callback"
  ca_secret_name = "${var.ssl_ca}.crt"

  
  # These are used by the helm resource. If you're not doing
  # things this way, then you can do:
  #   set {
  #      name = "caBundleSecretName"
  #      value = local.ca_secret_name
  #   } 

  helm_values = {
    "externalURL"                = local.url,
    "updateStrategy.type"        = "Recreate",
    "harborAdminPassword"        = random_password.admin_password.result,

    "persistentVolumeClaim.registry.size"  = "20Gi",
    "caBundleSecretName" =  local.ca_secret_name

    "expose.ingress.tls.certSource"        = "secret",
    "expose.ingress.tls.secret.secretName" = "${var.name}-cert",
    "expose.ingress.hosts.core"            = local.fqdn,
    "expose.ingress.className"             = "private",

    "expose.ingress.annotations.external-dns\\.alpha\\.kubernetes\\.io/hostname" = local.fqdn,
    "expose.ingress.annotations.cert-manager\\.io/cluster-issuer" = var.certca,
  }
}

data kubernetes_secret ca_cert {
  metadata {
    name      = var.ssl_ca
    namespace = var.ssl_ca_namespace
  }
}

# Create a secret that we can pass to helm with caBundleSecretName
resource kuberneteas_secret ca_cert {
  metadata {
    name = local.ca_secret_name
    namespace = var.namespace
  }
  data = {
    "ca.crt"= data.kubernetes_secret.ca_cert.data["tls.crt"]
  }
}

resource "helm_release" "harbor" {
  name       = "harbor"
  repository = "https://helm.goharbor.io"
  chart      = "harbor"
  namespace  = var.namespace

  dynamic "set" {
    for_each = local.helm_values
    content {
      name  = set.key
      value = set.value
    }
  }
}