柚子快報激活碼778899分享：harbor https

http://yzkb.51969.com/

harbor https部署

準備docker-compose安裝

https 證書harbor安裝訪問harbor推鏡像到harbordeployment配置【配置后才能正常拉取鏡像】先創(chuàng)建imagePullSecretsdeployment配置（與containers同級）

準備

192.168.112.99，harbor，centos7 192.168.112.3，測試機，centos7

docker版本：docker-ce 20.10.16（部署參考：https://blog.csdn.net/weixin_41988331/article/details/88743963） docker-compose版本：1.29.2（部署參考：同上，或者下載最新發(fā)行版，https://github.com/docker/compose/releases，阿里云） harbor版本：harbor-offline-installer-v2.6.4.tgz（GitHub 地址 https://github.com/goharbor/harbor/releases，阿里云）

docker-compose安裝

mv docker-compose-linux-x86_64 /usr/local/bin/docker-compose

chmod +x /usr/local/bin/docker-compose

docker-compose version

https 證書

mkdir certs

cd certs

#創(chuàng)建CA私鑰

openssl genrsa -out ca.key 4096

#自簽名機構生成CA證書

openssl req -x509 -new -nodes -sha512 -days 3650 \

-subj "/C=CN/ST=Jangsu/L=Nanjing/O=example/OU=Personal/CN=xxx.com" \

-key ca.key \

-out ca.crt

#參數(shù)說明：

## C，Country，代表國家

## ST，STate，代表省份

## L，Location，代表城市

## O，Organization，代表組織，公司

## OU，Organization Unit，代表部門

## CN，Common Name，代表服務器域名

## emailAddress，代表聯(lián)系人郵箱地址。

#客戶端私鑰證書生成

openssl genrsa -out xxx.com.key 4096

openssl req -sha512 -new \

-subj "/C=CN/ST=Jangsu/L=Nanjing/O=example/OU=Personal/CN=xxx.com" \

-key xxx.com.key \

-out xxx.com.csr

#生成多個域名請求

cat > v3.ext <<-EOF

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[alt_names]

DNS.1=xxx.com

DNS.2=harbor.xxx.com

DNS.3=192.168.112.99

EOF

#使用自簽名CA簽發(fā)證書

openssl x509 -req -sha512 -days 3650 \

-extfile v3.ext \

-CA ca.crt -CAkey ca.key -CAcreateserial \

-in xxx.com.csr \

-out xxx.com.crt

harbor安裝

這里采用離線方式： 下載包，https://github.com/goharbor/harbor/releases

tar -xf harbor-offline-installer-v2.6.4.tgz -C /usr/local/harbor/

mv certs /usr/local/harbor/

cd /usr/local/harbor/

cp harbor.yml harbor.yml.tmpl

修改harbor.yml

hostname: harbor.xxx.com

certificate: /usr/local/harbor/certs/server.crt

private_key: /usr/local/harbor/certs/server.key

data_volume: /data

建立Harbor數(shù)據(jù)目錄，并使用數(shù)據(jù)盤掛載到/data目錄

mkdir /data

./install.sh --help

Note: Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.

Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https.

Please set --with-trivy if needs enable Trivy in Harbor

Please set --with-chartmuseum if needs enable Chartmuseum in Harbor

#--with-trivy 開啟trivy掃描

./install.sh --with-trivy --with-chartmuseum

訪問harbor

hosts綁定 192.168.112.99 harbor.xxx.com 登錄賬號密碼：admin Harbor12345

推鏡像到harbor

192.168.112.3# mkdir /etc/docker/certs.d/xxx.com -p

192.168.112.99# scp /usr/local/harbor/certs/xxx.com.crt 192.168.112.3:/etc/docker/certs.d/xxx.com

192.168.112.3# vim /etc/hosts

192.168.112.99 harbor.xxx.com

192.168.112.3# cat daemon.json

{"insecure-registries":["harbor.xxx.com"]}

192.168.112.3# systemctl restart docker

192.168.112.3# docker login harbor.xxx.com -u admin -p Harbor12345

deployment配置【配置后才能正常拉取鏡像】

先創(chuàng)建imagePullSecrets

kubectl create secret docker-registry image-pull-secret \

-n \

--docker-server= \

--docker-username= \

--docker-password= \

--docker-email=

deployment配置（與containers同級）

spec:

spec:

imagePullSecrets:

- name: image-pull-secret

部署harbor參考鏈接： https://www.cnblogs.com/punchlinux/p/16499966.html imagePullSecrets參考鏈接： https://www.jianshu.com/p/1586c0e6ddd6

柚子快報激活碼778899分享：harbor https

http://yzkb.51969.com/

相關閱讀