Fork me on GitHub

harbor链接汇总
harbor部署
harbor部署 https docker 登录
浏览器不支持https登录harbor

配置harbor证书

当前目录:/etc/harbor/ssl/

1.生成证书颁发机构证书及私钥

openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Shanghai/L=Shanghai/O=SmartX/OU=Lab/CN=test.harbor.com"  -key ca.key  -out ca.crt

2.生成服务器私钥及证书签名请求(CSR)

openssl genrsa -out test.harbor.com.key 4096

3.生成证书签名请求

openssl req -sha512 -new  -subj "/C=CN/ST=Shanghai/L=Shanghai/O=SmartX/OU=Lab/CN=test.harbor.com"  -key test.harbor.com.key  -out test.harbor.com.csr

4.生成 x509 v3 扩展文件。

cat>>v3.ext<<EOF

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=test.harbor.com
DNS.3=harbor
EOF

5.使用该v3.ext文件为 Harbor 服务器生成证书。

openssl x509 -req -sha512 -days 3650  -extfile v3.ext  -CA ca.crt -CAkey ca.key -CAcreateserial  -in test.harbor.com.csr  -out test.harbor.com.crt

6.将 test.harbor.com.crt 转换为 test.harbor.com.cert , 供 Docker 使用。Docker 守护进程将.crt文件解释为 CA 证书,.cert将文件解释为客户端证书。

openssl x509 -inform PEM -in test.harbor.com.crt -out test.harbor.com.cert

7.在harbor.yml配置路径即可

# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /etc/harbor/ssl/test.harbor.com.crt
  private_key: /etc/harbor/ssl/test.harbor.com.key

配置docker支持harbor证书

harbor有使用https证书时,docker登录报错如下

[root@rocky-linux ~]# docker login test.harbor.com -uadmin -pHarbor@Test
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get "https://test.harbor.com/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority

解决办法:

方法1:

在 Docker 客户端机器上创建证书目录

mkdir -p /etc/docker/certs.d/test.harbor.com/

复制自签名证书到 Docker 目录

sudo cp /etc/harbor/ssl/test.harbor.com.crt /etc/docker/certs.d/test.harbor.com/ca.crt

重启 Docker 服务

sudo systemctl restart docker

登录 Harbor

[root@rocky-linux harbor]# docker login test.harbor.com -uadmin -pHarbor@Test
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

方法2:

编辑 Docker 配置文件

sudo nano /etc/docker/daemon.json

添加不安全的 Harbor 注册表地址

{
  "insecure-registries": ["test.harbor.com"]
}

重启 Docker 服务

sudo systemctl restart docker

登录 Harbor

docker login your.harbor.domain
posted on 2024-11-03 23:16  anyux  阅读(132)  评论(0编辑  收藏  举报