harbor镜像仓库-https访问的证书配置 (docker配置harbor https证书)

harbor镜像仓库-https访问的证书配置

生成CA证书

随便搞个什么文件夹,用于存放生成的证书

创建key文件:

 root@eb7023:/data/certs>openssl genrsa -out ca.key 4096
 Generating RSA private key, 4096 bit long modulus
 ............++
 .........................++
 e is 65537 (0x10001)

生成证书

**http://harbor23.com**这里是我harbor仓库的域名,即harbor配置文件中hostname的值,也可以写ip

 root@eb7023:/data/certs>openssl req -x509 -new -nodes -sha512 -days 3650  -subj "/CN=harbor23.com"  -key ca.key  -out ca.crt
 root@eb7023:/data/certs>ll
 total 8
 -rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt
 -rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key

生成服务器证书

创建私钥

 root@eb7023:/data/certs>openssl genrsa -out server.key 4096
 Generating RSA private key, 4096 bit long modulus
 ........................................................................................................................................................++
 .............................................................................++
 e is 65537 (0x10001)

生成证书签名请求

 root@eb7023:/data/certs>openssl req  -new -sha512  -subj "/CN=harbor23.com"  -key server.key  -out server.csr
 root@eb7023:/data/certs>ll
 total 16
 -rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt
 -rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key
 -rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr
 -rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key

生成harbor仓库主机的证书

首先创建一个 v3.ext 文件

root@eb7023:/data/certs>cat > v3.ext <<-EOF

 authorityKeyIdentifier=keyid,issuer
 basicConstraints=CA:FALSE
 keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
 extendedKeyUsage = serverAuth 
 subjectAltName = @alt_names
 [alt_names]
 DNS.1=harbor23.com
 EOF
 root@eb7023:/data/certs>
 root@eb7023:/data/certs>ll
 total 20
 -rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt
 -rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key
 -rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr
 -rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key
 -rw-r--r-- 1 root root  231 Sep 11 14:48 v3.ext

生成harbor仓库主机的证书

 root@eb7023:/data/certs>openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
 Signature ok
 subject=/CN=harbor23.com
 Getting CA Private Key
 root@eb7023:/data/certs>ll
 total 28
 -rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt
 -rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key
 -rw-r--r-- 1 root root   17 Sep 11 14:48 ca.srl
 -rw-r--r-- 1 root root 1830 Sep 11 14:48 server.crt
 -rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr
 -rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key
 -rw-r--r-- 1 root root  231 Sep 11 14:48 v3.ext 

到目前为止所有需要的证书文件就生成完毕了,下面需要一些配置

配置和安装证书

把server.crt文件和server.key文件拷贝到目录/data/cert下

因为我前面一直是在这个路径操作的就省略了该步骤

下面要修改harbor的配置文件 修改以下配置项

 root@eb7023:/data/certs>vim ~/harbor/harbor.yml 
 hostname: harbor23.com
 https:
   port: 443
   certificate: /data/certs/server.crt
   private_key: /data/certs/server.key

接下来就可重启以下harbor仓库了,注意这里要CD到harbor解压目录

 #导入配置
 root@eb7023:/root/harbor>./prepare 
 prepare base dir is set to /root/harbor
 Clearing the configuration file: /config/log/logrotate.conf
 Clearing the configuration file: /config/log/rsyslog_docker.conf
 Clearing the configuration file: /config/nginx/nginx.conf
 Clearing the configuration file: /config/core/env
 Clearing the configuration file: /config/core/app.conf
 Clearing the configuration file: /config/registry/config.yml
 Clearing the configuration file: /config/registry/root.crt
 Clearing the configuration file: /config/registryctl/env
 Clearing the configuration file: /config/registryctl/config.yml
 Clearing the configuration file: /config/db/env
 Clearing the configuration file: /config/jobservice/env
 Clearing the configuration file: /config/jobservice/config.yml
 Generated configuration file: /config/log/logrotate.conf
 Generated configuration file: /config/log/rsyslog_docker.conf
 Generated configuration file: /config/nginx/nginx.conf
 Generated configuration file: /config/core/env
 Generated configuration file: /config/core/app.conf
 Generated configuration file: /config/registry/config.yml
 Generated configuration file: /config/registryctl/env
 Generated configuration file: /config/db/env
 Generated configuration file: /config/jobservice/env
 Generated configuration file: /config/jobservice/config.yml
 loaded secret from file: /secret/keys/secretkey
 Generated configuration file: /compose_location/docker-compose.yml
 Clean up the input dir
 ##停止当前运行的harbor
 root@eb7023:/root/harbor>docker-compose down -v
 /usr/lib/python2.7/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.
   from cryptography.hazmat.backends import default_backend
 Stopping harbor-jobservice ... done
 Stopping harbor-portal     ... done
 Stopping registry          ... done
 Stopping registryctl       ... done
 Stopping redis             ... done
 Stopping harbor-db         ... done
 Stopping harbor-log        ... done
 Removing nginx             ... done
 Removing harbor-jobservice ... done
 Removing harbor-core       ... done
 Removing harbor-portal     ... done
 Removing registry          ... done
 Removing registryctl       ... done
 Removing redis             ... done
 Removing harbor-db         ... done
 Removing harbor-log        ... done
 Removing network harbor_harbor
 ##后台运行的harbor
 root@eb7023:/root/harbor>docker-compose up -d
 /usr/lib/python2.7/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.
   from cryptography.hazmat.backends import default_backend
 Creating network "harbor_harbor" with the default driver
 Creating harbor-log ... done
 Creating registry      ... done
 Creating harbor-db     ... done
 Creating registryctl   ... done
 Creating harbor-portal ... done
 Creating redis         ... done
 Creating harbor-core   ... done
 Creating harbor-jobservice ... done
 Creating nginx             ... done
 

为docker配置harbor认证

将server证书cp到docker所在的机器固定目录中

 #笔者这里的certs.d是已经存在的,如果不存在需要mkdir
 root@eb7023:/root/harbor>cd /etc/docker/certs.d/
 root@eb7023:/etc/docker/certs.d>ll
 total 0root@eb7023:/etc/docker/certs.d>mkdir -p /etc/docker/certs.d/harbor23.com      
 root@eb7023:/etc/docker/certs.d>cd /data/certs/
 root@eb7023:/data/certs>ll
 total 28
 -rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt
 -rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key
 -rw-r--r-- 1 root root   17 Sep 11 14:48 ca.srl
 -rw-r--r-- 1 root root 1830 Sep 11 14:48 server.crt
 -rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr
 -rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key
 -rw-r--r-- 1 root root  231 Sep 11 14:48 v3.ext
 root@eb7023:/data/certs>cp server.crt  /etc/docker/certs.d/harbor23.com/server.crt

然后docker直接login即可

 root@eb7023:/data/certs>docker login harbor23.com
 Username: admin
 Password: 
 WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
 Configure a credential helper to remove this warning. See
 https://docs.docker.com/engine/reference/commandline/login/#credentials-store
 
 Login Succeeded

这里我的docker和harbor是在同一台机器上的,如果是其他机器也复制crt文件即可

 root@eb7023:/data/certs>scp server.crt root@eb7045:/etc/docker/certs.d/harbor23.com/server.crt
 root@eb7045's password: 
 server.crt                                    100% 1830     2.1MB/s   00:00    

在eb7045可以登录验证一下:

 root@eb7045:/etc/docker/certs.d/harbor23.com>docker login harbor23.com
 Username: admin
 Password: 
 WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
 Configure a credential helper to remove this warning. See
 https://docs.docker.com/engine/reference/commandline/login/#credentials-store
 
 Login Succeeded

到这里配置完成。

参考链接:https://zhuanlan.zhihu.com/p/234918875

  • 2
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

学亮编程手记

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值