opea helm app
Helm | Docs Helm 中文手册
env
There are 2 ENV values, one is for the harbor registry FQDN, another is used for the workspace of image to store
harborurl=your-harbor.com
project=catalog-apps
Install the certificate on the machine
we leverage the openssl to get certificate from harbor registry and store it in docker configure path.
sudo mkdir -p /etc/docker/certs.d/${harborurl} openssl s_client -showcerts -connect registry.${harborurl}:443 </dev/null | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' |sudo tee -a /etc/docker/certs.d/${harborurl}/ca.crt
or alternative way:
wget --no-proxy http://${harborurl}:8081/ca.crt sudo mkdir -p /etc/docker/certs.d/${harborurl} sudo mv ca.crt /etc/docker/certs.d/${harborurl} sudo systemctl restart docker
On edge node
Add the certificate to the trust pool
sudo cp ca.crt /usr/local/share/ca-certificates/habor-ca.crt sudo update-ca-certificates --fresh
Login the harbor registry
run this command on orchestrator server to get the the credential of harbor registry.
credential=$(kubectl get -n harbor secrets harbor-admin-credential -o json | jq .metadata.annotations | grep -oP "(?<=\"credential).*(?=}})" | tr -d '"\') credential=${credential#:} echo "credential=$credential"
Note
NOTE: copy the above print to edge node.
# Username: admin; Password: Harbor12345 user=${credential%:*} pass=${credential#*:} docker login ${harborurl}
Docker push
push your docker image to harbor registry
dockimg=test ov=latest nv=latest docker tag $dockimg:$ov ${harborurl}/${project}/$dockimg:$nv docker push ${harborurl}/${project}/$dockimg:$nv
Push helm chart
first install helm tool.
curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null sudo apt-get install apt-transport-https --yes echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list sudo apt-get update sudo apt-get install helm
check your helm-chart before you push to harbor registry
chart=mychartpath helm install . --dry-run --debug ./$chart
then push your helm chart to harbor registry
chartball=xxx.tgz chratpath=<helm-dir> reponame=iotedge-repo tar czvf $chartball $chratpath helm plugin install https://github.com/chartmuseum/helm-push helm repo add --username ${user} --password ${pass} --ca-file /etc/docker/certs.d/${harborurl}/ca.crt $reponame https://registry.${harborurl}/chartrepo/${project} helm cm-push -u ${user} -p ${pass} --ca-file /etc/docker/certs.d/${harborurl}/ca.crt $chartball $reponame
Batch Push helm charts
for SUBDIR in */; do # Remove trailing slash SUBDIR_NAME="${SUBDIR%/}" echo $SUBDIR_NAME if [ -e $SUBDIR_NAME/Chart.yaml ] then echo "This is a Helm Chart file" tar -czf "${SUBDIR_NAME}.tgz" "$SUBDIR_NAME" helm cm-push -u ${user} -p ${pass} --ca-file /etc/docker/certs.d/${harborurl}/ca.crt ${SUBDIR_NAME}.tgz $reponame rm ${SUBDIR_NAME}.tgz else echo "Not a Helm Chart file, skip" fi done
Trouble shooting
mkdir -p /opt/certs cd /opt/certs wget --no-proxy http://${harborurl}:8081/ca.crt wget --no-proxy http://${harborurl}:8081/harbor.com.crt wget --no-proxy http://${harborurl}:8081/harbor.com.key
update the rke2 registry
$ cat /etc/rancher/rke2/registries.yaml --- # Define the proxy registry to pull images from mirrors: zz-iotedge-harbor.sh.intel.com: endpoint: - "https://zz-iotedge-harbor.sh.intel.com" configs: "zz-iotedge-harbor.sh.intel.com": auth: username: admin password: 1q2w3e@intelQ_0 tls: cert_file: /opt/certs/harbor.com.crt key_file: /opt/certs/harbor.com.key ca_file: /opt/certs/ca.crt insecure_skip_verify: true
restart the service
$ sudo systemctl restart rke2-server # Make sure it's in effect. $ sudo cat /var/lib/rancher/rke2/agent/etc/containerd/config.toml [plugins."io.containerd.grpc.v1.cri".registry.configs."zz-iotedge-harbor.sh.intel.com".auth] username = "admin" password = "1q2w3e@intelQ_0" [plugins."io.containerd.grpc.v1.cri".registry.configs."zz-iotedge-harbor.sh.intel.com".tls] ca_file = "/opt/certs/ca.crt" cert_file = "/opt/certs/harbor.com.crt" key_file = "/opt/certs/harbor.com.key" insecure_skip_verify = true
