linux-部署harbor的https认证

一、安装docker

1.下载docker的rpm包

  [root@harbor.yuanlinux.com ~]# ll
  -rw-r--r-- 1 root root 101239922 Apr 12 15:29 docker-rpm-20_10_24.tar.gz

2.解压并安装软件包

  [root@harbor.yuanlinux.com ~]# tar xf docker-rpm-20_10_24.tar.gz
  [root@harbor.yuanlinux.com ~]# cd docker-rpm-20.10/
  [root@harbor.yuanlinux.com ~/docker-rpm-20.10]# yum -y localinstall *.rpm

3.添加自动补全功能

  [root@harbor.yuanliunx.com ~]# yum -y install bash-completion
  [root@harbor.yuanliunx.com ~]# source /usr/share/bash-completion/bash_completion

4.配置镜像加速

  [root@harbor.yuanliunx.com ~/docker-rpm-20.10]# mkdir -p /etc/docker
  [root@harbor.yuanliunx.com ~/docker-rpm-20.10]# tee /etc/docker/daemon.json <<-'EOF'
  > {
  > "registry-mirrors": ["自己的加速地址"]
  > }
  > EOF
  [root@harbor.yuanliunx.com ~/docker-rpm-20.10]# systemctl daemon-reload
  [root@harbor.yuanliunx.com ~/docker-rpm-20.10]# systemctl restart docker
   

5.验证镜像加速是否成功

  [root@harbor.yuanliunx.com ~]# docker info | grep "Registry Mirrors" -A 1
  WARNING: bridge-nf-call-iptables is disabled
  WARNING: bridge-nf-call-ip6tables is disabled
  Registry Mirrors:
  https://tuv7rqqq.mirror.aliyuncs.com/

6.将docker设置为开机自启动

  [root@harbor.yuanliunx.com ~]# systemctl enable --now docker

二、安装docker compose

1.添加epel源

  [root@harbor.yuanliunx.com ~]# curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

2.安装docker-compose

  [root@harbor.yuanliunx.com ~]# yum -y install docker-compose

3.查看docker-compose版本

  [root@harbor.yuanliunx.com ~]# docker-compose version
  docker-compose version 1.18.0, build 8dd22a9
  docker-py version: 2.6.1
  CPython version: 3.6.8
  OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017

三、安装harbor

1.下载harbor软件包

  [root@harbor.yuanlinux.com ~]# ll
  -rw-r--r-- 1 root root 610192663 Apr 12 09:23 harbor-offline-installer-v1.10.10.tgz

2.创建工作目录

  [root@harbor.yuanlinux.com ~]# mkdir -pv /data/softwares

3.解压harbor软件包

  [root@harbor.yuanlinux.com ~]# tar xf harbor-offline-installer-v1.10.10.tgz -C /data/softwares/

4.创建证书的工作目录

  [root@harbor.yuanlinux.com ~]# mkdir -pv /data/softwares/harbor/certs/{ca,server,client}

5.生成自建CA证书

5.1 进入证书目录

  [root@harbor.yuanlinux.com ~]# cd /data/softwares/harbor/certs/

5.2 生成CA私钥

  [root@harbor.yuanlinux.com /data/softwares/harbor/certs]# openssl genrsa -out ca/ca.key 4096

5.3 生成ca的自签名证书

  [root@harbor.yuanlinux.com /data/softwares/harbor/certs]# openssl req -x509 -new -nodes -sha512 -days 3650 \
  > -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yuanlinux.com" \
  > -key ca/ca.key \
  > -out ca/ca.crt

6.生成harbor服务器的证书文件及客户端证书

6.1 生成harbor主机的私钥

  [root@harbor.yuanlinux.com /data/softwares/harbor/certs]# openssl genrsa -out server/harbor.yuanlinux.com.key 4096
  Generating RSA private key, 4096 bit long modulus

6.2 生成harbor主机的证书申请

  [root@harbor.yuanlinux.com /data/softwares/harbor/certs]# openssl req -sha512 -new \
  -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.yuanlinux.com" \
  -key server/harbor.yuanlinux.com.key \
  -out server/harbor.yuanlinux.com.csr

6.3 生成x509 v3扩展文件

  [root@harbor.yuanlinux.com /data/softwares/harbor/certs]# cat > v3.ext <<-EOF
  authorityKeyIdentifier=keyid,issuer
  basicConstraints=CA:FALSE
  keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
  extendedKeyUsage = serverAuth
  subjectAltName = @alt_names
   
  [alt_names]
  DNS.1=yuanlinux.com
  DNS.2=yuanlinux
  DNS.3=harbor.yuanlinux.com
  EOF

6.4 使用"v3.ext"给harbor主机签发证书

  [root@harbor.yuanlinux.com /data/softwares/harbor/certs]# openssl x509 -req -sha512 -days 3650 \
  -extfile v3.ext \
  -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \
  -in server/harbor.yuanlinux.com.csr \
  -out server/harbor.yuanlinux.com.crt

6.5 将crt文件转换为cert客户端证书文件

  [root@harbor.yuanlinux.com /data/softwares/harbor/certs]# openssl x509 -inform PEM -in server/harbor.yuanlinux.com.crt -out server/harbor.yuanlinux.com.cert

6.6 准备docker客户端证书

  [root@harbor.yuanlinux.com /data/softwares/harbor/certs]# cp server/harbor.yuanlinux.com.{cert,key} client/
  [root@harbor.yuanlinux.cn /data/softwares/harbor/certs]# cp ca/ca.crt client/
  [root@harbor.yuanlinux.cn /data/softwares/harbor/certs]# ll client/
  total 12
  -rw-r--r-- 1 root root 2029 Apr 12 20:21 ca.crt
  -rw-r--r-- 1 root root 2118 Apr 12 20:21 harbor.yuanlinux.com.cert
  -rw-r--r-- 1 root root 3243 Apr 12 20:21 harbor.yuanlinux.com.key

6.7 查看所有证书文件结果

  [root@harbor.yuanlinux.com /data/softwares/harbor/certs]# ll -R
  .:
  total 4
  drwxr-xr-x 2 root root 48 Apr 12 20:20 ca
  drwxr-xr-x 2 root root 83 Apr 12 20:21 client
  drwxr-xr-x 2 root root 131 Apr 12 20:21 server
  -rw-r--r-- 1 root root 272 Apr 12 20:19 v3.ext
   
  ./ca:
  total 12
  -rw-r--r-- 1 root root 2029 Apr 12 20:18 ca.crt
  -rw-r--r-- 1 root root 3243 Apr 12 20:16 ca.key
  -rw-r--r-- 1 root root 17 Apr 12 20:20 ca.srl
   
  ./client:
  total 12
  -rw-r--r-- 1 root root 2029 Apr 12 20:21 ca.crt
  -rw-r--r-- 1 root root 2118 Apr 12 20:21 harbor.yuanlinux.com.cert
  -rw-r--r-- 1 root root 3243 Apr 12 20:21 harbor.yuanlinux.com.key
   
  ./server:
  total 16
  -rw-r--r-- 1 root root 2118 Apr 12 20:21 harbor.yuanlinux.com.cert
  -rw-r--r-- 1 root root 2118 Apr 12 20:20 harbor.yuanlinux.com.crt
  -rw-r--r-- 1 root root 1716 Apr 12 20:19 harbor.yuanlinux.com.csr
  -rw-r--r-- 1 root root 3243 Apr 12 20:18 harbor.yuanlinux.com.key

7.配置harbor服务器使用证书

7.1 切换工作目录

  [root@harbor.yuanlinux.com /data/softwares/harbor/certs]# cd ..
  [root@harbor.yuanlinux.com /data/softwares/harbor]#

7.2 修改配置文件

  [root@harbor.yuanlinux.com /data/softwares/harbor]# cat -n harbor.yml
  #修改这几行
  5 hostname: harbor.yuanlinux.com
  17 certificate: /data/softwares/harbor/certs/server/harbor.yuanlinux.com.crt
  18 private_key: /data/softwares/harbor/certs/server/harbor.yuanlinux.com.key
  27 harbor_admin_password: 1

8. 安装harbor服务

  [root@harbor.yuanlinux.com /data/softwares/harbor]# ./install.sh

9.验证

9.1 Windows验证harbor的https

  # C:\Windows\System32\drivers\etc\hosts
  10.0.0.250 harbor.yuanlinux.com

https://harbor.yuanlinux.com/

image-20230412203245325

image-20230412203251501

9.2 Linux验证harbor的https

9.2.1 配置地址解析
  [root@harbor.yuanlinux.com ~]# echo 10.0.0.250 harbor.yuanlinux.com >> /etc/hosts
9.2.2 在docker客户端节点创建自签证书域名存放路径
  [root@harbor.yuanlinux.com ~]# mkdir -pv /etc/docker/certs.d/harbor.yuanlinux.com
9.2.3 服务端将证书文件拷贝到客户端docker节点,若不执行该操作,则会报错"x509: certificate signed by unknown authority"
  [root@harbor.yuanlinux.com ~]# cp /data/softwares/harbor/certs/client/* /etc/docker/certs.d/harbor.yuanlinux.com/
  [root@harbor.yuanlinux.com ~]# ll /etc/docker/certs.d/harbor.yuanlinux.com/
  total 12
  -rw-r--r-- 1 root root 2029 Apr 12 20:35 ca.crt
  -rw-r--r-- 1 root root 2118 Apr 12 20:35 harbor.linuxyuan.com.cert
  -rw-r--r-- 1 root root 3243 Apr 12 20:35 harbor.linuxyuan.com.key
9.2.4 登录验证
  [root@harbor.yuanliunx.com /data/softwares/harbor]# docker login -u admin -p 1 harbor.yuanlinux.com
  WARNING! Using --password via the CLI is insecure. Use --password-stdin.
  WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
  Configure a credential helper to remove this warning. See
  https://docs.docker.com/engine/reference/commandline/login/#credentials-store
   
  Login Succeeded

9.2.5退出登录

  [root@harbor.yuanlinux.com ~]# more /root/.docker/config.json
  {
  "auths": {
  "harbor.yuanlinux.com": {
  "auth": "YWRtaW46MQ=="
  }
  }
  }
   
  #改文件存储harbor密码,要及时退出
   
   
  [root@harbor.yuanlinux.com ~]# docker logout harbor.yuanlinux.com
  Removing login credentials for harbor.yuanlinux.com
   
  [root@harbor.yuanlinux.com ~]# more /root/.docker/config.json
  {
  "auths": {}
  }
   
  echo YWRtaW46MQ== | base64 -d | more

补充

  harbor有时重启机器会有服务起不来,要查看一下
  #进入harbor目录
  [root@harbor.yuanliunx.com /data/softwares/harbor]# docker-compose ps
  #没起来的话,可以先卸载,然后重新加载
  [root@harbor.yuanliunx.com /data/softwares/harbor]# docker-compose down -v -t 1
  [root@harbor.yuanliunx.com /data/softwares/harbor]# docker-compose up -d
 
posted @ 2024-10-30 00:29  雪竹子  阅读(25)  评论(0编辑  收藏  举报