TL;DR: On June 19, Chainguard Harbor images switch to a wrapper entrypoint that fixes custom Certificat Authority (CA) support and matches upstream goharbor/*. No action needed unless you override command:/args: or match on entrypoint strings in policy tooling.
| Announcement date | Planned Change date |
| 2026-05-20 | 2026-06-19 |
What’s Changing
On June 19, five Chainguard Harbor images will start using a small wrapper script as their entrypoint, instead of calling the Harbor binary directly.
This affects harbor-core, harbor-jobservice, harbor-registryctl, harbor-registry, and harbor-trivy-adapter (including -fips variants, versions 2.12, 2.13, 2.14, 2.15).
The wrapper matches what upstream goharbor/* images already do: it installs custom CAs into the container's trust store before starting Harbor. The Harbor binary, its arguments, ports, and behavior are otherwise identical.
Why we’re making this change
Customers using the upstream Harbor Helm chart with Chainguard images saw TLS failures (x509: certificate signed by unknown authority) when custom CAs were configured, because our images skipped the wrapper the chart relies on. This change fixes that and brings our images fully in line with upstream.
Do you need to do anything?
Most customers will not need to take any action.
If you are utilizing the upstream goharbor/harbor-helm chart with its default configurations, your pods will automatically adopt these updates. Furthermore, custom CA settings—specifically caBundleSecretName and internalTLS.enabled—will begin functioning as intended if they are already part of your environment.
You need to take action if your environment meets the following criteria:
-
You override command: or args: in your pod specifications or Helm values. If you point directly to a binary (e.g., /harbor/harbor_core), your deployment will continue to function but will bypass the new wrapper, preventing custom CAs from being installed. To ensure compatibility with custom CAs, remove the override or update it to use the new entrypoint paths:
- Core / Jobservice: /harbor/entrypoint.sh
- Registryctl: /home/harbor/start.sh
- Registry: /home/harbor/entrypoint.sh
- Trivy-adapter: /home/scanner/entrypoint.sh
- You use admission controllers or audit tooling that validates literal entrypoint strings. Please ensure the paths listed above are added to your allow-lists prior to the June 19 effective date.
Need help or have questions? We're here to help - visit our support portal at support.chainguard.dev.
- Chainguard Team
Comments
0 comments
Please sign in to leave a comment.