Harbor and Clair can be deployed with certificates signed by certificate authorities which are not present in the adapters host's root CA set. If that's the case, the corresponding clients will fail with well known error: certificate signed by unknown authority. Also it happens because the clients will not trust self-signed certificates, because they don’t recognise the signer as a trusted Root CA.
In order to support custom root CAs and self-signed certificates we should support the following configs:
Name
Default Value
Description
SCANNER_HTTP_TLS_CLIENTCAS
An array of absolute paths to x509 CA files that will be added to host's root CA set
SCANNER_HTTP_TLS_INSECURE_SKIP_VERIFY
false
Controls whether a client verifies the server's certificate chain and host name.
Harbor and Clair can be deployed with certificates signed by certificate authorities which are not present in the adapters host's root CA set. If that's the case, the corresponding clients will fail with well known error:
certificate signed by unknown authority
. Also it happens because the clients will not trust self-signed certificates, because they don’t recognise the signer as a trusted Root CA.In order to support custom root CAs and self-signed certificates we should support the following configs:
SCANNER_HTTP_TLS_CLIENTCAS
SCANNER_HTTP_TLS_INSECURE_SKIP_VERIFY
false