1.GitHub的官方地址
https://github.com/goharbor/harbor
2.下载harbor
wget https://github.com/goharbor/harbor/releases/download/v2.8.2/harbor-offline-installer-v2.8.2.tgz
3.解压软件包
tar xf harbor-offline-installer-v2.8.2.tgz -C /lianshanzhouyi/softwares/
4.修改配置文件
cp harbor.yml.tmpl harbor.yml
vim harbor.yml
# 添加主机名称
hostname: lianshan.zhouyi.com
...
# 设置管理员密码
harbor_admin_password: 1
5.安装harbor
./install.sh #自带脚本
登录harbor
# echo 1 | docker login -u admin --password-stdin lianshan.zhouyi.com
# docker login -u admin -p 1 lianshan.zhouyi.com
# docker login lianshan.zhouyi.com
退出harbor:
# docker logout lianshan.zhouyi.com
harbor配置自建证书:
1.生成ca的证书
(1)创建证书目录并进入到证书目录
mkdir /lianshanzhouyi/softwares/harbor/certs/custom/{ca,server,client}
cd /lianshanzhouyi/softwares/harbor/certs/custom
(2)生成ca的私钥
# openssl genrsa -out ca/ca.key 4096
(3)生成ca的自签名证书
# openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=oldboyedu.com" \
-key ca/ca.key \
-out ca/ca.crt
2.生成harbor主机证书
(1)生成harbor主机的私钥
# openssl genrsa -out server/harbor.oldboyedu.com.key 4096
(2)生成harbor主机的证书申请
# openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.oldboyedu.com" \
-key server/harbor.oldboyedu.com.key \
-out server/harbor.oldboyedu.com.csr
(3)生成x509 v3扩展文件
# cat > server/v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=lianshan.com
DNS.2=zhouyi
DNS.3=lianshan.zhouyi.com
EOF
(4)使用"v3.ext"给harbor主机签发证书
# openssl x509 -req -sha512 -days 3650 \
-extfile server/v3.ext \
-CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \
-in server/lianshanzhouyi.com.csr \
-out server/lianshanzhouyi.com.crt
(5)将crt文件转换为cert客户端证书文件
# openssl x509 -inform PEM -in server/harbor.oldboyedu.com.crt -out server/harbor.oldboyedu.com.cert
温馨提示:
docker程序认为"*.crt"文件是CA证书文件,"*.cert"客户端证书文件,于是上面第五步需要转换一下,其实使用cp一下也是可以的,内容并没有变化。
3.配置harbor服务器使用证书
(1)修改harbor的配置文件
# vim /oldboyedu/softwares/harbor/harbor.yml
...
hostname: harbor.oldboyedu.com
...
https:
...
certificate: /lianshanzhouyi/softwares/harbor/certs/custom/server/lianshan.zhouyi.com.crt
private_key: /lianshanzhouyi/softwares/harbor/certs/custom/server/lianshan.zhouyi.com.key
...
harbor_admin_password: 1
(2)安装harbor服务
# cd /oldboyedu/softwares/harbor && ./install.sh
温馨提示:
如果已经安装harbor服务的话,就不需要重复执行"./install.sh"脚本,仅需执行"./prepare"并搭配"docker-compose down"和"docker-compose up -d"即可。
4.客户端配置证书,推荐配置,便于后期维护。
[root@centos201 custom]# cp ca/ca.crt server/lianshan.zhouyi.com.key server/lianshan.zhouyi.com.cert client/
5.将客户端证书拷贝到需要登录harbor服务器的节点上
1)创建自定义域名的证书存放路径(注意,下面的"lianshan.zhouyi.com"改成你自己的自签域名)
1) mkdir -pv /etc/docker/certs.d/lianshan.zhouyi.com
2)拷贝证书文件到需要登录的节点
[root@centos201 custom]# scp client/* 0.0.0.0:/etc/docker/certs.d/lianshan.zhouyi.com/
3)客户端登录验证
[root@centos202 ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://tuv7rqqq.mirror.aliyuncs.com"]
}
[root@centos202 ~]#
[root@centos202 ~]# systemctl restart docker
[root@centos202 ~]#
[root@centos202 ~]# docker login -u admin -p 1 lianshan.zhouyi.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@centos202 ~]#
Error response from daemon: Get "https://lianshan.zhouyi.com/v2/": x509: certificate signed by unknown authority
说明证书是自签证书,需要单独配置信任。
.
将客户端证书推送到所有的k8s集群
scp certs/custom/client/*
5.挑选任意K8S节点测试harbor能否正常访问
[root@master231 ~]# docker login -u admin -p 1 lianshan.zhouyi.com
.....
Login Succeeded