一、安装nfs-server
k8s-master01信息【提供nfs存储的机器】
公网IP:120.55.76.34
私网IP:172.30.125.99
未来的样子
nfs:
server: 172.30.125.99
path: /data/harbor
1.1 在提供 NFS 存储主机上执行,这里默认master节点
yum install -y nfs-utils
echo "/data/harbor *(insecure,rw,sync,no_root_squash)" > /etc/exports
# 执行以下命令,启动 nfs 服务;创建共享目录
mkdir -p /data/harbor/{chartmuseum,jobservice,registry,database,redis,trivy}
# 在master执行
chmod -R 777 /data/harbor
# 使配置生效
exportfs -r
#检查配置是否生效
exportfs
systemctl enable rpcbind && systemctl start rpcbind
systemctl enable nfs && systemctl start nfs
1.2 配置nfs-client(选做)
- 在每个node上配置nfs-client,172.30.125.99为master的私网 ip 地址
showmount -e 172.30.125.99
mkdir -p /data/harbor
mount -t nfs 172.30.125.99:/data/harbor /data/harbor
二、添加 helm repo 仓库
安装 helm 工具
官网:https://github.com/helm/helm/releases
wget https://get.helm.sh/helm-v3.7.2-linux-amd64.tar.gz
tar -zxvf helm-v3.7.2-linux-amd64.tar.gz
#解压得到文件包 linux-amd64
cd linux-amd64
cp helm /usr/local/bin/
helm version
以上,helm工具安装成功了,接下来开始添加 harbor的helm repo,并下载 chart 包
官网:https://github.com/goharbor/harbor-helm/releases
helm repo add harbor https://helm.goharbor.io
helm pull harbor/harbor --version 1.6.0
# 拉取下的chart包名 harbor-1.6.0.tgz
tar zxvf harbor-1.6.0.tgz #解压出文件名 harbor
修改 /harbor/values.yaml,下图中的字段要对照修改
k8s-master01信息【提供nfs存储的机器】
公网IP:120.55.76.34
私网IP:172.30.125.99
该node安装nfs后:
server: 172.30.125.99
path: /data/harbor
**注意:此处是集群内网的IP地址 externalURL: http://172.30.125.99:30002 *
#这里我只给出修改的参数,未修改的按照应用默认参数即可
expose:
type: nodePort
tls:
# 这里使用http,修改为false
enabled: false
externalURL: http://172.30.125.99:30002 #这个切记修改为自己集群ip,否则会出现无法登陆情况
persistence:
enabled: true
resourcePolicy: "keep"
persistentVolumeClaim: #每个子系统存储,这里我提前创建好了pvc,如果使用动态的pvc,existingClaim空着即可,下面给出创建pv和pvc的yaml
registry:
# Use the existing PVC which must be created manually before bound,
# and specify the "subPath" if the PVC is shared with other components
existingClaim: "harbor-registry"
# Specify the "storageClass" used to provision the volume. Or the default
# StorageClass will be used(the default).
# Set it to "-" to disable dynamic provisioning
storageClass: "harbor-registry"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
chartmuseum:
existingClaim: "harbor-chartmuseum"
storageClass: "harbor-chartmuseum"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
jobservice:
existingClaim: "harbor-jobservice"
storageClass: "harbor-jobservice"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
# If external database is used, the following settings for database will
# be ignored
database:
existingClaim: "harbor-database"
storageClass: "harbor-database"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
# If external Redis is used, the following settings for Redis will
# be ignored
redis:
existingClaim: "harbor-redis"
storageClass: "harbor-redis"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
trivy:
existingClaim: "harbor-trivy"
storageClass: "harbor-trivy"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
harborAdminPassword: "Harbor12345" #修改默认的登录密码
创建 harbor-pv.yaml
vim harbor-pv.yaml #拷贝如下内容,记得替换spec.nfs.server的IP地址
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-chartmuseum
labels:
app: harbor
component: chartmuseum
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
storageClassName: harbor-chartmuseum
persistentVolumeReclaimPolicy: Recycle
nfs:
server: 172.30.125.99
path: /data/harbor/chartmuseum
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-jobservice
labels:
app: harbor
component: jobservice
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
storageClassName: harbor-jobservice
persistentVolumeReclaimPolicy: Recycle
nfs:
server: 172.30.125.99
path: /data/harbor/jobservice
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-registry
labels:
app: harbor
component: registry
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
storageClassName: harbor-registry
persistentVolumeReclaimPolicy: Recycle
nfs:
server: 172.30.125.99
path: /data/harbor/registry
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-database
labels:
app: harbor
component: database
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
storageClassName: harbor-database
persistentVolumeReclaimPolicy: Recycle
nfs:
server: 172.30.125.99
path: /data/harbor/database
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-redis
labels:
app: harbor
component: redis
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
storageClassName: harbor-redis
persistentVolumeReclaimPolicy: Recycle
nfs:
server: 172.30.125.99
path: /data/harbor/redis
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-trivy
labels:
app: harbor
component: trivy
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
storageClassName: harbor-trivy
persistentVolumeReclaimPolicy: Recycle
nfs:
server: 172.30.125.99
path: /data/harbor/trivy
kubectl apply -f harbor-pv.yaml
创建harbor-pvc.yaml
vim harbor-pvc.yaml #拷贝如下内容
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-chartmuseum
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: harbor-chartmuseum
selector:
matchLabels:
app: "harbor"
component: "chartmuseum"
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-jobservice
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: harbor-jobservice
selector:
matchLabels:
app: "harbor"
component: "jobservice"
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-registry
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: harbor-registry
selector:
matchLabels:
app: "harbor"
component: "registry"
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-database
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: harbor-database
selector:
matchLabels:
app: "harbor"
component: "database"
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-redis
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: harbor-redis
selector:
matchLabels:
app: "harbor"
component: "redis"
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-trivy
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: harbor-trivy
selector:
matchLabels:
app: "harbor"
component: "trivy"
kubectl apply -f harbor-pvc.yaml
三、部署chart
[root@master01 ~]# helm install my-harbor ./harbor/ # 可添加后缀 --namespace harbor
[root@master01 ~]# kubectl get po
NAME READY STATUS RESTARTS AGE
my-harbor-harbor-chartmuseum-648ddc6cc7-f6jf7 1/1 Running 3 (38m ago) 57m
my-harbor-harbor-core-787997f69-wwm8m 1/1 Running 4 (35m ago) 57m
my-harbor-harbor-database-0 1/1 Running 3 (38m ago) 5h36m
my-harbor-harbor-jobservice-b6c898d8b-ktb9c 1/1 Running 4 (36m ago) 57m
my-harbor-harbor-nginx-5c7999cd9f-fxqwr 1/1 Running 3 (38m ago) 150m
my-harbor-harbor-notary-server-78bd56d784-vkdzd 1/1 Running 4 (38m ago) 57m
my-harbor-harbor-notary-signer-69bbf5b848-8f45n 1/1 Running 4 (38m ago) 57m
my-harbor-harbor-portal-7f965b49cd-hmhwc 1/1 Running 3 (38m ago) 5h36m
my-harbor-harbor-redis-0 1/1 Running 3 (38m ago) 5h36m
my-harbor-harbor-registry-f566858b6-9q7df 2/2 Running 6 (38m ago) 57m
my-harbor-harbor-trivy-0 1/1 Running 4 (35m ago) 5h36m
nfs-client-provisioner-659758485d-brdw7 1/1 Running 18 (38m ago) 9h
[root@master01 ~]# helm upgrade my-harbor ./harbor/ #更新
[root@master01 ~]# helm list -A #查看chart
[root@master01 ~]# helm repo list #查看repo
五、 屏蔽 https 访问异常
注意 http://172.30.125.99:30002,此处的 ip 请替换搭建 harbor的服务器 IP
cat > /etc/docker/daemon.json << EOF
{
"exec-opts":["native.cgroupdriver=systemd"],
"registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"],
"insecure-registries": ["http://172.30.125.99:30002"]
}
EOF
systemctl daemon-reload
systemctl restart docker
六、 内部访问harbor
【私网IP:172.30.125.99】
cat ./harbor/values.yaml |grep -i externalURL
docker login -u admin -p Harbor12345 http://172.30.125.99:30002
[root@master01 ~]# cat ./harbor/values.yaml |grep -i externalURL
externalURL: http://172.30.125.99:30002
[root@master01 ~]# docker login -u admin -p Harbor12345 http://172.30.125.99:30002
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
七、浏览器访问
【公网IP:120.55.76.34】
http://120.55.76.34:30002