harbor配置https
注: 这里以registry.harbor.com
域名为例进行演示,也可以直接使用IP地址代替域名配置https
一、生成证书颁发机构证书
# 生成CA证书私钥
openssl genrsa -out ca.key 4096
# 生成CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=registry.harbor.com" \
-key ca.key \
-out ca.crt
二、生成服务器证书
生成私钥与签名请求
# 生成私钥
openssl genrsa -out registry.harbor.com.key 4096
# 生成证书签名请求(CSR)
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=registry.harbor.com" \
-key registry.harbor.com.key \
-out registry.harbor.com.csr
生成一个x509 v3扩展文件
1、使用的是域名
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=registry.harbor.com
DNS.2=registry.harbor
DNS.3=harbor
EOF
2、使用的是IP
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:192.168.70.134
EOF
使用该v3.ext
文件为您的Harbor主机生成证书
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in registry.harbor.com.csr \
-out registry.harbor.com.crt
三、提供证书给Harbor和Docker
1、为dockers配置
转换yourdomain.com.crt
为yourdomain.com.cert
,供Docker使用。
Docker守护程序将.crt
文件解释为CA证书,并将.cert
文件解释为客户端证书。
openssl x509 -inform PEM -in registry.harbor.com.crt -out registry.harbor.com.cert
将服务器证书,密钥和CA文件复制到Harbor主机上的Docker证书文件夹中。您必须首先创建适当的文件夹
mkdir -p /etc/docker/certs.d/registry.harbor.com/
cp registry.harbor.com.cert /etc/docker/certs.d/registry.harbor.com/
cp registry.harbor.com.key /etc/docker/certs.d/registry.harbor.com/
cp ca.crt /etc/docker/certs.d/registry.harbor.com/
如果将默认
nginx
端口443映射到其他端口,请创建文件夹/etc/docker/certs.d/yourdomain.com:port
或/etc/docker/certs.d/harbor_IP:port
。(省略)
重新启动Docker Engine。
systemctl restart docker
2、配置harbor
修改harbor.yml配置文件
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: registry.harbor.com
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /data/cert/registry.harbor.com.crt
private_key: /data/cert/registry.harbor.com.key
执行harbor部署
./install.sh