How to configure a Private CA cert for S3 Backend

[harrisonbc]

I'm trying to setup harbor with an S3 backend on kubernetes via the helm chart.
If I use a S3 service (minio) with a well know certificate then all is well, however if the S3 service has a cert signed by a private CA then I get errors in the registry pod: "tls: failed to verify certificate: x509: certificate signed by unknown authority" err.message="unknown error""

This is despite having set caBundleSecretName as documented in the harbor helm values file here: https://github.com/goharbor/harbor-helm/blob/main/values.yaml

Which states the following: (Lines 186-189)

Specify the "caBundleSecretName" if the storage service uses a self-signed certificate.

The secret must contain keys named "ca.crt" which will be injected into the trust store

of registry's containers.

caBundleSecretName:

Can anyone offer any assistance?

[stonezdj]

You can diagnostic the problem by compare the the content of the cert file.

1. Check the file content of trusted cert in the container

kubectl exec -it <registry_container_id> bash
cat /harbor_cust_cert/storage_ca_bundle.crt

2. Compare the content with the ca.crt in local.
   If it doesn't match, then there is something wrong with your secret.