K8S Harbor
Harbor是一个开源的基于WEB UI的企业级Docker镜像、Helm Chart仓库管理平台。
参考文档: https://goharbor.io/docs/2.7.0/
预览Harbor
Harbor官方提供一个演示网站,用于预览Harbor:https://demo.goharbor.io/harbor/projects。
注册一个账号,登录即可。
安装Harbor
使用DockerCompose部署Harbor(单机版)
参考文档:https://goharbor.io/docs/2.7.0/install-config/
1.安装先决条件
参考文档:https://goharbor.io/docs/2.7.0/install-config/installation-prereqs/
1.1.硬件要求
| 资源 | 最小 | 建议 |
|---|---|---|
| CPU | 2 CPU | 4 CPU |
| Mem | 4 GB | 8 GB |
| Disk | 40 GB | 160 GB |
1.2.软件要求
| 软件 | 版本 | 描述 |
|---|---|---|
| Docker engine | Version 17.06.0-ce+ or higher | 相关安装文档请参考https://docs.docker.com/engine/installation/ |
| Docker Compose | docker-compose (v1.18.0+) or docker compose v2 (docker-compose-plugin) | 相关安装文档请参考:https://docs.docker.com/compose/install/ |
| Openssl | Latest | 用于为Harbor生成证书和密钥 |
1.3.网络端口
| 端口 | 协议 | 描述 |
|---|---|---|
| 443 | HTTPS | 允许通过HTTPS协议访问到Harbor平台和相关API。可以在配置文件中修改此端口。 |
| 4443 | HTTPS | 连接到Harbor的Docker内容信任服务。当启用Notary功能时需要,可以在配置文件中修改此端口。 |
| 80 | HTTP | 允许通过HTTP协议访问到Harbor平台和相关API。可以在配置文件中修改此端口。 |
2.下载并解压Harbor
安装包下载地址:https://github.com/goharbor/harbor/releases
支持离线包(offline)和在线包(online)、源码包(source)下载,建议下载离线包。
参考文档:https://goharbor.io/docs/2.7.0/install-config/download-installer/
[root@localhost ~]# wget https://github.com/goharbor/harbor/releases/download/v2.6.3/harbor-offline-installer-v2.6.3.tgz
[root@localhost ~]# tar xzvf harbor-offline-installer-v2.6.3.tgz
3.配置Harbor(HTTP)
HTTP方式的配置仅用于测试和开发环境,生产环境下强烈建议使用HTTPS方式,请参考步骤4.
[root@localhost ~]# cd harbor
[root@localhost harbor]# cp harbor.yml.tmpl harbor.yml
[root@localhost harbor]# vim harbor.yml
# 设置用于访问到admin UI和注册服务所使用的域名或IP地址
# 不要使用localhost或127.0.0.1,因为Harbor需要被外部客户端所访问
# 如果使用IP地址,则填写的应该的Harbor服务所在主机的IP地址
hostname: yourdomain.com
# HTTP相关配置
http:
# 设置HTTP端口,默认为80,如果开启了HTTPS,则会自动重定向到HTTPS端口
port: 80
# !先注释掉HTTPS相关配置
# https:
# 设置HTTPS端口,默认为443
# port: 443
# 设置服务器SSL证书文件路径
# certificate: /data/cert/yourdomain.com.crt
# private_key: /data/cert/yourdomain.com.key
# 设置Harbor admin初始化密码,仅当第一次安装时有效,在启动Harbor后需要在UI界面更改管理员密码
harbor_admin_password: Harbor12345
# Harbor DB配置
database:
# 设置数据库root账号密码
password: root123
# 设置空闲连接池最大连接数.如果<=0,则不保留空闲连接
max_idle_conns: 100
# 设置数据库最大打开连接数.如果<=0,则打开连接数没有限制
max_open_conns: 900
# 设置Harbor数据在物理机上持久化的存储目录
data_volume: /data
4.安装Harbor
!安装Harbor之前请先安装对应版本的Docker和DockerCompose。
[root@localhost ~]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.18
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 2.14.0
[Step 2]: loading Harbor images ...
Loaded image: goharbor/harbor-portal:v2.6.3
Loaded image: goharbor/harbor-log:v2.6.3
Loaded image: goharbor/harbor-registryctl:v2.6.3
Loaded image: goharbor/harbor-exporter:v2.6.3
Loaded image: goharbor/harbor-jobservice:v2.6.3
Loaded image: goharbor/redis-photon:v2.6.3
Loaded image: goharbor/notary-server-photon:v2.6.3
Loaded image: goharbor/prepare:v2.6.3
Loaded image: goharbor/harbor-core:v2.6.3
Loaded image: goharbor/nginx-photon:v2.6.3
Loaded image: goharbor/registry-photon:v2.6.3
Loaded image: goharbor/harbor-db:v2.6.3
Loaded image: goharbor/notary-signer-photon:v2.6.3
Loaded image: goharbor/trivy-adapter-photon:v2.6.3
Loaded image: goharbor/chartmuseum-photon:v2.6.3
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /root/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
Note: stopping existing Harbor instance ...
[Step 5]: starting Harbor ...
[+] Running 10/10
⠿ Network harbor_harbor Created 0.1s
⠿ Container harbor-log Started 2.0s
⠿ Container registry Started 6.5s
⠿ Container redis Started 4.2s
⠿ Container registryctl Started 5.0s
⠿ Container harbor-db Started 4.8s
⠿ Container harbor-portal Started 6.1s
⠿ Container harbor-core Started 8.3s
⠿ Container harbor-jobservice Started 10.7s
⠿ Container nginx Started 11.3s
✔ ----Harbor has been installed and started successfully.----
[root@localhost harbor]# docker-compose top
harbor-core
UID PID PPID C STIME TTY TIME CMD
10000 19440 19418 0 04:06 ? 00:00:03 /harbor/harbor_core
harbor-db
UID PID PPID C STIME TTY TIME CMD
polkitd 19041 18999 0 04:06 ? 00:00:00 postgres -D /var/lib/postgresql/data/pg13 -c max_connections=1024
polkitd 19371 19041 0 04:06 ? 00:00:00 postgres: checkpointer
polkitd 19372 19041 0 04:06 ? 00:00:00 postgres: background writer
polkitd 19373 19041 0 04:06 ? 00:00:00 postgres: walwriter
polkitd 19374 19041 0 04:06 ? 00:00:00 postgres: autovacuum launcher
polkitd 19375 19041 0 04:06 ? 00:00:00 postgres: stats collector
polkitd 19376 19041 0 04:06 ? 00:00:00 postgres: logical replication launcher
polkitd 21287 19041 0 04:11 ? 00:00:00 postgres: postgres registry 172.19.0.8(47856) idle
harbor-jobservice
UID PID PPID C STIME TTY TIME CMD
10000 19611 19564 0 04:06 ? 00:00:04 /harbor/harbor_jobservice -c /etc/jobservice/config.yml
harbor-log
UID PID PPID C STIME TTY TIME CMD
root 18834 18815 0 04:06 ? 00:00:00 /bin/bash /usr/local/bin/start.sh
root 18886 18834 0 04:06 ? 00:00:00 crond
root 18890 18834 0 04:06 ? 00:00:00 sudo -u #10000 -E rsyslogd -n
10000 18917 18890 0 04:06 ? 00:00:00 rsyslogd -n
harbor-portal
UID PID PPID C STIME TTY TIME CMD
10000 19171 19104 0 04:06 ? 00:00:00 nginx: master process nginx -g daemon off;
10000 19366 19171 0 04:06 ? 00:00:00 nginx: worker process
10000 19367 19171 0 04:06 ? 00:00:00 nginx: worker process
10000 19368 19171 0 04:06 ? 00:00:00 nginx: worker process
10000 19369 19171 0 04:06 ? 00:00:00 nginx: worker process
nginx
UID PID PPID C STIME TTY TIME CMD
10000 19620 19582 0 04:06 ? 00:00:00 nginx: master process nginx -g daemon off;
10000 19732 19620 0 04:06 ? 00:00:00 nginx: worker process
10000 19733 19620 0 04:06 ? 00:00:00 nginx: worker process
10000 19734 19620 0 04:06 ? 00:00:00 nginx: worker process
10000 19735 19620 0 04:06 ? 00:00:00 nginx: worker process
redis
UID PID PPID C STIME TTY TIME CMD
polkitd 18978 18944 0 04:06 ? 00:00:02 redis-server *:6379
registry
UID PID PPID C STIME TTY TIME CMD
10000 19186 19129 0 04:06 ? 00:00:00 /usr/bin/registry_DO_NOT_USE_GC serve /etc/registry/config.yml
registryctl
UID PID PPID C STIME TTY TIME CMD
10000 19090 19055 0 04:06 ? 00:00:00 /home/harbor/harbor_registryctl -c /etc/registryctl/config.yml
5.访问Harbor
使用admin和初始化密码Harbor12345登录!
6.配置通过HTTPS访问到Harbor(可选的步骤)
参考文档: https://goharbor.io/docs/2.7.0/install-config/configure-yml-file/
参考文档:https://goharbor.io/docs/2.7.0/install-config/configure-https/
默认情况下,Harbor不附带证书。可以在没有安全性的情况下部署Harbor,我们可以直接通过HTTP连接到它,但这种方式仅限于测试和开发环境。
在生产环境下,请始终使用HTTPS。
如果启用Notary内容信任以正确签署所有镜像,则必须使用HTTPS。
要配置HTTPS,必须创建SSL证书,SSL证书通常由第三方权威CA机构购买和颁发,免费的证书可以尝试从https://letsencrypt.org/获取。
在生产环境中,应从CA获取证书。
6.1.向权威CA购买并申请SSL证书
免费的SSL证书可以从Let's Encrypt或阿里云获取。
6.2.向Harbor提供证书
下载NGINX类型的服务器证书即可
# 将服务器证书和密钥文件放置到Harbor主机上的证书文件夹中
[root@localhost ~]# mkdir -p /data/cert
[root@localhost ~]# cd /data/cert
[root@localhost cert]# unzip harbor.examplex.site_nginx.zip
Archive: harbor.examplex.site_nginx.zip
Aliyun Certificate Download
inflating: harbor.examplex.site.pem
inflating: harbor.examplex.site.key
6.3.配置Harbor开启HTTPS
[root@localhost cert]# cd ~/harbor/
[root@localhost harbor]# vim harbor.yml
...
hostname: harbor.examplex.site # 修改主机名称为域名
# HTTP相关配置
# 当开启HTTPS时,访问HTTP会自动重定向到HTTPS
http:
port: 80
# HTTPS相关配置
https:
port: 443
certificate: /data/cert/harbor.examplex.site.pem
private_key: /data/cert/harbor.examplex.site.key
...
6.4.重新部署和启动Harbor
# 重新生成相关配置文件
[root@localhost harbor]# ./prepare
# 停止并删除正在运行的实例
# 数据是持久化在文件系统"data_volume: /data"中,因此此操作不会丢失任何数据
[root@localhost harbor]# docker-compose down -v
# 重新创建并启动Harbor相关容器服务
[root@localhost harbor]# docker-compose up -d
6.5.访问验证HTTPS是否成功
在浏览器中使用域名访问即可。
使用Helm部署Harbor到K8S集群中(高可用版)
参考文档:https://goharbor.io/docs/2.7.0/install-config/harbor-ha-helm/
1.安装先决条件
- Kubernetes cluster 1.10+
- Helm 2.8.0+
- 高可用ingress controller
- 高可用PostgreSQL 9.6+
- 高可用Redis
- PVC共享外部存储
2.下载Harbor-Chart包
[root@localhost ~]# helm repo add harbor https://helm.goharbor.io
[root@localhost ~]# helm fetch harbor/harbor --untar
3.配置Harbor
需要修改的配置有:
- 配置Ingress
- 配置外部URL
- 配置连接到外部高可用PostgreSQL
- 配置连接到外部高可用Redis
- 配置PVC共享存储,以存放仓库数据
[root@minikube ~]# vim harbor/values.yaml
4.部署Harbor
[root@localhost ~]# helm install my-release harbor/
使用Harbor
1.创建项目
访问级别:
- 公开:任何人都可以从Harbor中拉取镜像
- 私有:需要使用"docker login"登录才可以拉取
存储容量: -1表示不限制
2.查看推送命令
选择项目->镜像仓库->推送命令
乐在分享!~~
