Harbor Deployment (Helm)
Helm 部署 Harbor需要使用共享存储,docker-compose 部署使用单台宿主机存储。
前期准备
创建stl证书
# 模拟域名,公司可以申请内部域名
# VIP bigdata.harbor.com
# 10.83.195.250 bigdata.harbor.com
# 一般使用公司证书,模拟使用
mkdir -p /data/harbor_helm/stl && cd /data/harbor_helm/stl
# 生成 CA 证书私钥
openssl genrsa -out ca.key 4096
# 生成 CA 证书
openssl req -x509 -new -nodes -sha512 -days 36500 \
-subj "/C=CN/ST=Guangdong/L=Shenzhen/O=harbor/OU=harbor/CN=bigdata.harbor.com" \
-key ca.key \
-out ca.crt
# 创建域名证书,生成私钥
openssl genrsa -out harbor.key 4096
# 生成证书签名请求 CSR
openssl req -sha512 -new \
-subj "/C=CN/ST=Guangdong/L=Shenzhen/O=harbor/OU=harbor/CN=bigdata.harbor.com" \
-key harbor.key \
-out harbor.csr
# 生成 x509 v3 扩展
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=bigdata.harbor.com
DNS.2=*..bigdata.harbor.com
DNS.3=hostname
EOF
#创建 Harbor 访问证书
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in harbor.csr \
-out harbor.crt
基于证书创建 secret
kubectl create ns harbor-uat
kubectl create secret tls k8s-harbor-secret --key harbor.key --cert harbor.crt -n harbor-uat
kubectl get secret k8s-harbor-secret -n harbor-uat
Harbor 部署
下载
helm repo add harbor https://helm.goharbor.io
helm pull harbor/harbor --version 1.14.2
tar -zxvf harbor-1.14.2.tgz
cd harbor
# 修改 values.yaml的ipv6
ipFamily:
# ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component
ipv6:
enabled: false
# 修改 values.yaml的 className
ingress:
hosts:
core: core.harbor.domain
# set to the type of ingress controller if it has specific requirements.
# leave as `default` for most ingress controllers.
# set to `gce` if using the GCE ingress controller
# set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller
# set to `alb` if using the ALB ingress controller
# set to `f5-bigip` if using the F5 BIG-IP ingress controller
controller: default
## Allow .Capabilities.KubeVersion.Version to be overridden while creating ingress
kubeVersionOverride: ""
# 修改 className
className: "nginx"
安装
# 和 Chart.yaml 同级目录下执行
# 需要使用共享存储 ceph
helm install harbor-uat -n harbor-uat ./harbor \
--set expose.ingress.hosts.core=bigdata.harbor.com \
--set-string expose.ingress.annotations.'nginx\.org/client-max-body-size'="1024m" \
--set expose.tls.secretName=k8s-harbor-secret \
--set persistence.persistentVolumeClaim.registry.storageClass=harbor-ceph-storage \
--set persistence.persistentVolumeClaim.jobservice.storageClass=harbor-ceph-storage \
--set persistence.persistentVolumeClaim.database.storageClass=harbor-ceph-storage \
--set persistence.persistentVolumeClaim.redis.storageClass=harbor-ceph-storage \
--set persistence.persistentVolumeClaim.trivy.storageClass=harbor-ceph-storage \
--set persistence.persistentVolumeClaim.chartmuseum.storageClass=harbor-ceph-storage \
--set persistence.enabled=true \
--set externalURL=https://bigdata.harbor.com/ \
--set harborAdminPasswords=admin@123
# --set persistence.enabled=false 使用pod内部存储,仅限测试
helm install harbor-uat -n harbor-uat ./harbor \
--set expose.ingress.hosts.core=bigdata.harbor.com \
--set-string expose.ingress.annotations.'nginx\.org/client-max-body-size'="1024m" \
--set expose.tls.secretName=k8s-harbor-secret \
--set persistence.enabled=false \
--set externalURL=https://bigdata.harbor.com/ \
--set harborAdminPasswords=admin@123
# NAME: harbor-uat
# LAST DEPLOYED: Fri Apr 12 14:36:24 2024
# NAMESPACE: harbor
# STATUS: deployed
# REVISION: 1
# TEST SUITE: None
# NOTES:
# Please wait for several minutes for Harbor deployment to complete.
# Then you should be able to visit the Harbor portal at https://bigdata.harbor.com/
# For more details, please visit https://github.com/goharbor/harbor
# 查看
kubectl get ingress,svc,pvc,pv,pods -owide -n harbor-uat
# 卸载
helm uninstall harbor-uat -n harbor-uat
推送镜像
vim /etc/docker/daemon.json
# insecure-registries harbor地址
{
"registry-mirrors": ["https://ogeydad1.mirror.aliyuncs.com"],
"insecure-registries": ["https://bigdata.harbor.com"],
"exec-opts": ["native.cgroupdriver=systemd"]
}
# 重启 docker
systemctl reload docker && systemctl restart docker
docker-compose restart
# 拉取镜像
docker pull nginx:1.16
# 打标签
docker image tag nginx:1.16 bigdata.harbor.com/bigdata/nginx:1.16
# 登录仓库
docker login https://bigdata.harbor.com
# admin/admin@123
# Login Succeeded
# 推镜像到仓库
docker push bigdata.harbor.com/bigdata/nginx:1.16
docker pull centos:centos7
docker image tag centos:centos7 bigdata.harbor.com/bigdata/centos:centos7
docker push bigdata.harbor.com/bigdata/centos:centos7