| k8s学习笔记2 | 您所在的位置:网站首页 › harbor启动yaml文件总是报错 › k8s学习笔记2 |
k8s学习笔记2
|
k8s学习笔记2-搭建harbor私有仓库一.介绍二.环境准备1.docker-compose安装2.下载和解压harbor三.harbor部署1.http方式部署2.https方式部署a.自制证书部署b.第三方签名证书部署3.配置开机自启动四.访问harbor仓库(自签名的https仓库)方式1:修改启动文件方式2:分发ca.cert证书到其他docker引擎方式3:k8s的pod访问五.参考资料
一.介绍
本次安装时的机器系统为ubuntu 22.04,harbor的版本为v2.5.3,docker已经安装,docker的版本为v20.10.12,本次安装直接在上一篇博客的基础上做的,harbor直接安装到k8s-master1上。 二.环境准备 1.docker-compose安装 apt install pip -y pip install docker-compose检查安装情况 docker-compose --version 2.下载和解压harbor官网地址:https://github.com/goharbor/harbor/releases 目前最新的版本为:v2.5.3 下载harbor版本 wget https://storage.googleapis.com/harbor-releases/release-2.5.0/harbor-online-installer-v2.5.3.tgz解压harbor文件 root@k8s-master1:~# tar -xvf harbor-online-installer-v2.5.3.tgz harbor/prepare harbor/LICENSE harbor/install.sh harbor/common.sh harbor/harbor.yml.tmpl 三.harbor部署 1.http方式部署修改harbor配置文件,如果使用非https方式部署,直接修改hostname字段,并注释https部分然后执行部署即可 root@k8s-master1:~# cd harbor/ root@k8s-master1:~/harbor# cp harbor.yml.tmpl harbor.yml root@k8s-master1:~/harbor# nano harbor.yml root@k8s-master1:~/harbor# more harbor.yml # Configuration file of Harbor# The IP address or hostname to access admin UI and registry service. # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. hostname: 192.168.100.240# http related config http:# port for http, default is 80. If https enabled, this port will redirect to https portport: 80# https related confighttps #https:# https port for harbor, default is 443 # port: 443# The path of cert and key files for nginx# certificate: /your/certificate/path# private_key: /your/private/key/path .......开始安装(下载镜像,估计需要6分钟左右,这个完全看网速) ./install.sh安装好之后,登录界面(帐号默认为:admin,密码为:Harbor12345) 官方配置https文档:https://goharbor.io/docs/2.0.0/install-config/configure-https/ 使用命令,将当前http部署的harbor删除,如果没有部署http,那就无需执行如下命令 root@k8s-master1:~/harbor#docker-compose down root@k8s-master1:~/harbor#rm docker-compose.yml a.自制证书部署1.修改harbor.yml配置文件 root@k8s-master1:~/harbor# cat harbor.yml # Configuration file of Harbor# The IP address or hostname to access admin UI and registry service. # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. hostname: registry.harbor.com# http related config http:# port for http, default is 80. If https enabled, this port will redirect to https portport: 80# https related config https:# https port for harbor, default is 443port: 443# The path of cert and key files for nginx#特别说明:该harbor服务器的证书和私钥的路径,与自制证书或者第三方签名的证书的位置对应,目前我的路径就是这个位置certificate: /data/cert/registry.harbor.com.crtprivate_key: /data/cert/registry.harbor.com.key ......2.生成自制证书 #!/bin/bash ############################生成证书颁发机构证书############################ #1、生成CA证书私钥 mkdir -p /root/harbor/ssl cd /root/harbor/ssl openssl genrsa -out ca.key 4096 #2、生成CA证书 openssl req -x509 -new -nodes -sha512 -days 3650 \-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=registry.harbor.com" \-key ca.key \-out ca.crt ############################生成服务器证书############################ #1、生成harbor服务器私钥 openssl genrsa -out registry.harbor.com.key 4096 #2、生成证书签名请求(CSR) openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=registry.harbor.com" -key registry.harbor.com.key -out registry.harbor.com.csr #3、生成一个x509 v3扩展文件 cat > v3.ext /etc/hosts5.安装成功后,使用https://registry.harbor.com进行登录,会提示有风险 部署第三放签名的证书,相对来说,比自制证书简单 比如说,我们在第三方机构申请到一个证书(registry.zhangsan.com),这个证书的名字是registry.zhangsan.com.crt,私钥是registry.zhangsan.com.key,这两个文件,都存放在/data/zhangsan/这个文件夹下 1.修改harbor.yaml文件 # Configuration file of Harbor# The IP address or hostname to access admin UI and registry service. # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. hostname: registry.zhangsan.com# http related config http:# port for http, default is 80. If https enabled, this port will redirect to https portport: 80# https related config https:# https port for harbor, default is 443port: 443# The path of cert and key files for nginxcertificate: /data/zhangsan/registry.zhangsan.com.crtprivate_key: /data/zhangsan/registry.zhangsan.com.key2.转换registry.zhangsan.com.crt为registry.zhangsan.com.cert,供Docker使用。 openssl x509 -inform PEM -in registry.zhangsan.com.crt -out registry.zhangsan.com.cert3.直接安装即可 ./install.sh 3.配置开机自启动使用systemd来启动关闭harbor,下面这个地址Environment=harbor_install_path=/root,需要修改成自己的harbor的安装路径位置 cat > /usr/lib/systemd/system/harbor.service |
登录进去后 
到目前为止,http方式部署已经完成
提示有风险的原因,是因为这是我们自制的证书,系统中存在CA机构不能够对这个harbor的证书进行验证,这样的话,系统就认为这个网站是有风险的,不安全的。 我们直接在浏览器中,将我们生成的ca.crt安装到浏览器上,就可以啦,这样就可以进行正常访问了 在浏览器上,安装此ca.crt 先进入证书导入界面 
点击import按钮导入ca.crt证书机构,全部勾选 
6.导入成功后,进入https://registry.harbor.com,发现不会出现风险提示,并且小钥匙也正常了 
【本文地址】
| 今日新闻 |
| 推荐新闻 |
| 专题文章 |