Jenkins之docker in docker用https登录harbor

以下是官网的基础环境

   

先创建network

docker network create jenkins

     

运行容器jenkins-docker,网络别名为docker

docker run \

--name jenkins-docker \

--rm \

--detach \

--privileged \

--network jenkins \

--network-alias docker \

--env DOCKER_TLS_CERTDIR=/certs \

--volume jenkins-docker-certs:/certs/client \

--volume jenkins-data:/var/jenkins_home \

--publish 2376:2376 \

--publish 3000:3000 --publish 5000:5000 \

docker:dind \

--storage-driver overlay2

     

vi Dockerfile

FROM jenkins/jenkins:2.387.1

USER root

RUN apt-get update && apt-get install -y lsb-release

RUN curl -fsSLo /usr/share/keyrings/docker-archive-keyring.asc \

https://download.docker.com/linux/debian/gpg

RUN echo "deb [arch=$(dpkg --print-architecture) \

signed-by=/usr/share/keyrings/docker-archive-keyring.asc] \

https://download.docker.com/linux/debian \

$(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list

RUN apt-get update && apt-get install -y docker-ce-cli

USER jenkins

RUN jenkins-plugin-cli --plugins "blueocean docker-workflow"

   

构建

docker build -t myjenkins-blueocean:2.387.1-1 .

   

Run your own myjenkins-blueocean:2.387.1-1 image as a container in Docker

   

docker run \

--name jenkins-blueocean \

--detach \

--network jenkins \

--env DOCKER_HOST=tcp://docker:2376 \

--env DOCKER_CERT_PATH=/certs/client \

--env DOCKER_TLS_VERIFY=1 \

--publish 8080:8080 \

--publish 50000:50000 \

--volume jenkins-data:/var/jenkins_home \

--volume jenkins-docker-certs:/certs/client:ro \

--volume "$HOME":/home \

--restart=on-failure \

--env JAVA_OPTS="-Dhudson.plugins.git.GitSCM.ALLOW_LOCAL_CHECKOUT=true" \

myjenkins-blueocean:2.387.1-1

  


 

写一个自己的pipleline  

node {

stage('Clone') {

echo "1.Clone Stage"

git url: "https://github.com/baidjay/jenkins-demo.git"

script {

build_tag = sh(returnStdout: true, script: 'git rev-parse --short HEAD').trim()

}

echo "${build_tag}"

}

   

stage('Test') {

echo "2.Test Stage"

}

stage('Build') {

echo "3.Build Docker Image Stage"

sh "docker build -t 192.168.1.143:81/jenkins/jenkins-demo:${build_tag} ."

}

   

stage('Push') {

echo "4.Push Docker Image Stage"

sh "docker login --username=admin 192.168.1.143:81 -p Harbor12345"

sh "docker push https://allinone.st.com/jenkins/jenkins-demo:${build_tag}"

 

}

     

stage('YAML') {

echo "5. Change YAML File Stage"

def userInput = input(

id: 'userInput',

message: 'Choose a deploy environment',

parameters: [

[

$class: 'ChoiceParameterDefinition',

choices: "Dev\nQA\nProd",

name: 'Env'

]

]

)

echo "This is a deploy step to ${userInput}"

sh "sed -i 's/<BUILD_TAG>/${build_tag}/' k8s.yaml"

sh "sed -i 's/<BRANCH_NAME>/${userInput}/' k8s.yaml"

sh "sed -i 's#registry.cn-hangzhou.aliyuncs.com/ik9s#harbor.st.com/jenkins#' k8s.yaml"

sh "cat k8s.yaml"

}

     

stage('Deploy') {

echo "6. Deploy Stage"

withKubeConfig([credentialsId: '2bc4be96-168a-4033-ba16-51eb0e21xxx', serverUrl: 'https://192.168.1.151:6443']) {

sh 'kubectl apply -f k8s.yaml'

}  

}

}

   

     

运行出错

       使用harbor http方式连接,提示要用https连接

  


官网教程: Configure HTTPS Access to Harbor

https://goharbor.io/docs/1.10/install-config/configure-https/  

https://goharbor.io/docs/2.6.0/install-config/configure-https/  


Generate a Certificate Authority Certificate
  

openssl genrsa -out ca.key 4096

  

openssl req -x509 -new -nodes -sha512 -days 3650 \

-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=st.com" \

-key ca.key \

-out ca.crt  

   

Generate a Server Certificate

The certificate usually contains a .crt file and a .key file

   

openssl genrsa -out st.com.key 4096

   

openssl req -sha512 -new \

-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=st.com" \

-key st.com.key \

-out st.com.csr

     

cat > v3.ext <<-EOF

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

   

[alt_names]

DNS.1=st.com

DNS.2=st

DNS.3=harbor.st.com

DNS.4=harbor

EOF     

   

openssl x509 -req -sha512 -days 3650 \

-extfile v3.ext \

-CA ca.crt -CAkey ca.key -CAcreateserial \

-in st.com.csr \

-out st.com.crt

  
Provide the Certificates to Harbor and Docker

After generating the ca.crt, yourdomain.com.crt, and yourdomain.com.key files, you must provide them to Harbor and to Docker, and reconfigure Harbor to use them.

   

Copy the server certificate and key into the certficates folder on your Harbor host.

   

cp st.com.crt /data/cert/

cp st.com.key /data/cert/

   

openssl x509 -inform PEM -in st.com.crt -out st.com.cert

     

mkdir /etc/docker/certs.d/st.com


cp st.com.cert /etc/docker/certs.d/st.com/

cp st.com.key /etc/docker/certs.d/st.com/

cp ca.crt /etc/docker/certs.d/st.com/

     

如果不是443端口,文件夹命名为yourdomain.com:port

If you mapped the default nginx port 443 to a different port, create the folder /etc/docker/certs.d/yourdomain.com:port, or /etc/docker/certs.d/harbor_IP:port.

     

systemctl restart docker

     

操作系统级别信任证书

cp ca.crt /etc/pki/ca-trust/source/anchors/st.com.crt

update-ca-trust extract

systemctl restart docker

(harborlogin一次)

   

注意:是ca.crt,不是 yourdomain.com..crt (官网是先提前操作cat intermediate-certificate.pem >> yourdomain.com.crt)


https://goharbor.io/docs/2.6.0/install-config/troubleshoot-installation/#https

     


harbor配置文件启用https  

vim harbor.yml

hostname: harbor.st.com
http:
port: 80
https
port: 4443
#
存放证书的目录
certificate: /data/cert/st.com.crt
private_key: /data/cert/st.com.key
harbor_admin_password: Harbor12345
data_volume: /data/harbor
log
location: /data/harbor/logs

       

docker-compose down

重新用配置文件启动,不是直接docker-compose up -d

./install.sh  

docker-compose ps

  

 

       运行报另一个错

  


Harbor docker login x509 certificate signed by unknown authority

docker login --username=admin allinone.xxx.com -p Harbor12345  

Error response from daemon: Get "https://harbor.st.com:4443/v2/": x509: certificate signed by unknown authority  

原因是Docker未信任我们自己生成的CA证书

   

文件名        

说明

ca.crt        

CA证书公钥

ca.key        

CA证书密钥

harbor.crt        

Harbor SSL证书公钥

harbor.key        

Harbor SSL证书密钥

   

方法一

# 192.168.37.170Habor hostname

mkdir -p /etc/docker/certs.d/192.168.37.170

cp ca.crt /etc/docker/certs.d/192.168.37.170

   

systemctl restart docker

   

如果Docker daemon的方法不行,则参考下面的方法在操作系统级别导入并信任我们生成的CA证书。

   

方法二实测成功

cp ca.crt /etc/pki/ca-trust/source/anchors

update-ca-trust extract

systemctl restart docker

注意:是ca.crt,不是harbor.crt

   

方法三

cp ca.crt /etc/pki/tls/certs/ca.crt

# backup ca-bundle.crt

cp -p ca-bundle.crt ca-bundle.crt.bak

cat ca.crt >> /etc/pki/tls/certs/ca-bundle.crt

   

systemctl restart docker

注意:是ca.crt,不是harbor.crt

        

另一篇参考文档

https://github.com/goharbor/harbor/issues/6774

   

   

   

不同系统添加证书  

来自 <https://blog.csdn.net/SHELLCODE_8BIT/article/details/125250740>

   

Mac OS X

添加证书:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/new-root-certificate.crt

移除证书:

sudo security delete-certificate -c ""

   

Windows

添加证书:

certutil -addstore -f "ROOT" new-root-certificate.crt

移除证书:

certutil -delstore "ROOT" serial-number-hex

   

Linux (Ubuntu, Debian)

添加证书:

1.复制 CA 文件到目录: /usr/local/share/ca-certificates/

2.执行:

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

3.更新 CA 证书库:

sudo update-ca-certificates

移除证书:

1.Remove your CA.

2.Update the CA store:

sudo update-ca-certificates --fresh

Restart Kerio Connect to reload the certificates in the 32-bit versions or Debian 7.

   

Linux (CentOs 6)

添加证书:

1.安装 ca-certificates package:

yum install ca-certificates

2.启用dynamic CA configuration feature:

update-ca-trust force-enable

3.Add it as a new file to /etc/pki/ca-trust/source/anchors/:

cp foo.crt /etc/pki/ca-trust/source/anchors/

4.执行:

update-ca-trust extract

Restart Kerio Connect to reload the certificates in the 32-bit version.

   

 

   

构建自己的jenkins-docker 增加ca证书

[root@localhost dockerdind]# cat Dockerfile

FROM docker:dind

COPY ca.crt /usr/local/share/ca-certificates/

RUN update-ca-certificates

     

docker build -t docker:mydind .  

   

docker run \

--name jenkins-docker \

--detach \

--privileged \

--network jenkins \

--network-alias docker \

--env DOCKER_TLS_CERTDIR=/certs \

--volume jenkins-docker-certs:/certs/client \

--volume jenkins-data:/var/jenkins_home \

--publish 2376:2376 \

--publish 3000:3000 --publish 5000:5000 \

docker:mydind \

--storage-driver overlay2

   

至此,Jenkins docker版用https登录harbor成功

   

   

   

   

   

   

   

   

posted @ 2023-04-18 21:34  ST运维  阅读(918)  评论(0编辑  收藏  举报