一、安装harbor
二、生成证书
1、生成CA证书私钥
openssl genrsa -out ca.key 4096
2、生成CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
> -subj "/C=CN/ST=Beijing/L=Beijing/O=iscas/OU=IT/CN=172.16.10.151" \
> -key ca.key \
> -out ca.crt
C=CN(国家),ST=Beijing(省份),L=Beijing(城市),O=iscas(公司),OU=IT(部门),CN=172.16.10.151(harbor的ip或域名)
3、生成服务器证书私钥.key
openssl genrsa -out server.key 4096
4、生成证书签名请求.csr
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=iscas/OU=IT/CN=172.16.10.151" \
-key server.key \
-out server.csr
5、生成一个x509 v3扩展文件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:172.16.10.151
EOF
6、生成Harbor主机证书
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in server.csr \
-out server.crt
7、转换server.crt为server.cert
供Docker使用,Docker守护程序将.crt文件解释为CA证书,并将.cert文件解释为客户端证书
openssl x509 -inform PEM -in server.crt -out server.cert
8、拷贝证书到Harbor主机上的Docker证书文件夹
创建文件夹/etc/docker/certs.d/yourdomain.com:port或/etc/docker/certs.d/harbor_ip:port
mkdir -p /etc/docker/certs.d/172.16.10.151:443/
cp server.cert /etc/docker/certs.d/172.16.10.151:443/
cp server.key /etc/docker/certs.d/172.16.10.151:443/
cp ca.crt /etc/docker/certs.d/172.16.10.151:443/
9、编辑harbor.yml
配置https证书
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /opt/software/harbor/harbor/cert/server.crt
private_key: /opt/software/harbor/harbor/cert/server.key
10、重新启动harbor
先停掉之前的
docker-compose down
./prepare
./install.sh
三、测试
1、浏览器访问 https://172.16.10.151:443/
输入默认用户名密码 admin/Harbor12345,成功进入页面。
2、在其他机器上测试访问harbor
(1)拷贝ca.crt证书到目标机器
mkdir /etc/docker/certs.d/172.16.10.151:443
[root@k8s-node02 172.16.10.151:443]# ll
total 4
-rw-r--r--. 1 root root 2009 Dec 11 05:13 ca.crt
(2)登录harbor
[root@k8s-node02 opt]# docker login -u admin -p Harbor12345 https://172.16.10.151:443
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded